CSI2102 Information Security

Aleatha Shanley
(Unit Coordinator & Lecturer)
Email: [email protected]
Phone : +61 8 6304 2849
Office: ECU JO Campus 18.418A
 What to expect in this unit

Assignments

 Assignment 1: worth 20%

 Assignment 2: worth 30%
 Exam: 50%

You do not need to pass the exam to pass the unit

 Module 1
Introduction to Information Security
 Learning Objectives

• Recount the brief history of computer security and how it has

evolved into information security
• Define Information Security
• Define key terms and concepts
• Understand and describe the C.I.A triad
• Approaches to Information Security
 Why is Information Security Important?

What is information?
What is Information Security?
Why does it matter?

Recommended Viewing:
Panopticon by Peter Vlemmix
https://www.youtube.com/watch?v=FUyB0Tsj6jE
History of Information Security
 The History of Information Security

 Computer security began immediately after the first mainframes

were developed
- Groups developing code-breaking computations during World
War II created the first modern computers
- Multiple levels of security were implemented
 Physical controls to limit access to sensitive military locations to
authorized personnel
 Rudimentary in defending against physical theft, espionage, and
sabotage
Principles of Information Security, Fifth Edition
 The 1960s

 Advanced Research Project Agency (ARPA) began to examine

feasibility of redundant networked communications

 Larry Roberts developed ARPANET from its inception.

Principles of Information Security, Fifth Edition

 The 1970s and 80s

 ARPANET grew in popularity as did its potential for misuse

 Fundamental problems with ARPANET security were identified
- No safety procedures for dial-up connections to ARPANET
- Non-existent user identification and authorisation to system
 Late 1970s: microprocessor expanded computing capabilities and
security threats

Principles of Information Security, Fifth Edition

 The 1970s and 80s (cont’d.)

 Information security began with Rand Report R-609 (paper that

started the study of computer security)

 Scope of computer security grew from physical security to include:

- Safety of data
- Limiting unauthorized access to data
- Involvement of personnel from multiple levels of an organisation

Principles of Information Security, Fifth Edition

 MULTICS

 Early focus of computer security research was a system called

Multiplexed Information and Computing Service (MULTICS)
 First operating system created with security as its primary goal
 Mainframe, time-sharing OS developed in mid-1960s by General
Electric (GE), Bell Labs, and Massachusetts Institute of Technology
(MIT)
 Several MULTICS key players created UNIX
 Primary purpose of UNIX was text processing
 The 1990s

• Networks of computers became more common; so too did

the need to interconnect networks
• Internet became first manifestation of a global network of
networks
• Initially based on de facto standards
• In early Internet deployments, security was treated as a low
priority
 2000 to Present

• The Internet brings millions of computer networks into

communication with each other—many of them unsecured
• Ability to secure a computer’s data influenced by the
security of every computer to which it is connected
• Growing threat of cyber attacks has increased the need for
improved security
Key terms, concepts and definitions
 Information?

• Data can be thought of as attributes or details of an object or

thing in its raw form. Data is unorganized and has know
context.
• Information is organised data about a thing or object so it is
useful and has context, for example, a person has; name,
gender, eye colour. This information is useful to identify a
“person”
Thus, information is a product of data and the way humans
interpret it
Principles of Information Security, Fifth Edition
 Information

Information is data that has been organized,

structured and presented in a format that provides
insight into its context, value and usefulness.
Knowledge is applied to information to give it
meaning
 What Is Security?
In generic terms, “a state of being secure and free from danger or harm; the
actions taken to make someone or something secure” (Oxford, 2018).

A successful organization should have multiple layers of security in place to

protect:
• Operations
• Physical infrastructure
• People
• Functions
• Communications
• Information
 Information Security

Objective: Define Information Security

 Information security: a “well-informed sense of assurance that the

information risks and controls are in balance.” — Jim Anderson,
Inovant (2002)

Principles of Information Security, Fifth Edition

 What Is Information Security?

The protection of information and its critical elements, including the

people, systems and hardware that use, store, and transmit that
information

Information security aims to protect the confidentiality, integrity and

availability of information, referred to as the CIA triad
 What Is Information Security?

Information security (InfoSec) focuses on the protection of information

and the characteristics that give it value, such as confidentiality,
integrity, and availability, and includes the technology that houses and
transfers that information through a variety of protection mechanisms
such as policy, training and awareness programs, and technology
(Whitman & Mattord, 2016)
 What is an Information Asset?

Information or resource that has value to

an organisation and; the systems that
store, process and transmit the
information
 Key Information Security Concepts

 Access  Protection Profile or

 Asset Security Posture
 Attack  Risk
 Control, Safeguard, or Countermeasure  Subjects and Objects
 Exploit  Threat
 Exposure  Threat Agent
 Loss
 Vulnerability
 Key Information Security Concepts

A computer, and therefore the information residing on this computer,

can be subject of an attack and/or the object of an attack

- When the subject of an attack, computer is used as an active tool

to conduct attack (tool used by perpetrator)
- When the object of an attack, computer is the entity being attacked
(victim)
 Confidentiality
Integrity
Availability

CIA Triad and the CNSS Model

Components of Information Security
 CIA triad

Industry standard based on three characteristics that describe

the utility of information. A model designed to guide policies for
information security within an organization

 Now viewed as inadequate.

 Expanded model consists of a list of critical characteristics of
information
 The CIA Triad

Confidentiality: only those with

sufficient privileges and a
demonstrated need may access it
Integrity: the quality or state of being
whole, complete, and uncorrupted
Availability: authorized users have
access to information in a usable
format, without interference or
obstruction
Source: Management of Information Security, 5th Edition - © Cengage Learning
 Critical Characteristics of Information

The value of information comes from the

characteristics it possesses
 Availability:
The information is said to be available to an authorized user when and where needed and
in the correct format
 Accuracy
Free from mistake or error / having the value that the end user expects.
 Authenticity
The quality or state of being genuine or original, rather than a reproduction or fabrication
 Critical Characteristics of Information

 Confidentiality
The quality or state of preventing disclosure or exposure to unauthorized individuals or
systems
 Integrity
The quality or state of being whole, complete, and uncorrupted
 Utility
The quality or state of having value for some purpose or end. Information has value
when it serves a particular purpose
 Possession
The quality or state of having ownership or control of some object or item. Information is
said to be in possession if one obtains it, independent of format or other characteristic.
 The CIA Triangle and the CNSS Model

The C.I.A. triangle - confidentiality, integrity, and availability - has

expanded into a more comprehensive list of critical characteristics of
information
The NSTISSI (or CNSS) Security Model (also known as the McCumber
Cube) provides a more detailed perspective on security
While the NSTISSC model covers the three dimensions of information
security, it omits discussion of detailed guidelines and policies that
direct the implementation of controls
 Three Dimensions of Information Security

Confidentiality, Integrity, Availability

- Goals/Controls (things we want)
Policy, Education, Technology
- Measures (things we do/use)
Storage, Processing, Transmission
- States of information and data (things we protect)
A Security Model (CNSS)

The McCumber Cube

 The CIA Triad (expanded)
• Due to today’s constantly changing IT environment, the C.I.A. triangle has been
expanded to include:
- Privacy, identification, authentication, authorization, and accountability
• Privacy: information will be used only in ways approved by the person who provided it
• Identification: when an information system is able to recognize individual users
• Authentication: the process by which a control establishes whether a user (or system)
has the identity it claims to have
• Authorization: a process that defines what an authenticated user has been specifically
authorized by the proper authority to do
• Accountability: occurs when a control provides assurance that every activity
undertaken can be attributed to a named person or automated process
Adapted from: Management of Information Security, 5th Edition - © Cengage Learning
 Components of an Information System

Information system (IS) is entire set of components necessary to use

information as a resource in the organisation
- Software
- Hardware
- Data
- People
- Procedures
- Networks
 Components of an Information System
Traditional system Information asset Risk management system components
components components
People Nonemployees Trusted employees other staff
People at trusted organizations strangers and
visitors
Procedures Procedures IT and business standard
IT and business-sensitive procedures
Data Information Transmission
Processing
Storage

Software Software Application

Operating system
Security components

Hardware System devices and System and peripherals

peripherals Security devices
Networking components Intranet components
Internet or DMZ components
Approaches to Information Security
 Balancing Information Security & Access

 Impossible to obtain perfect security

— it is a process, not an absolute
 Security should be considered
balance between protection and
availability
 To achieve balance, level of security
must allow reasonable access, yet
protect against threats
 Two approaches to InfoSec

1. Bottom-Up Approach (Info Sec)

 Grassroots effort: systems administrators attempt to improve security
of their systems
 Key advantage: technical expertise of individual administrators
 Seldom works, as it lacks a number of critical features:
- Participant support
- organisational staying power
 Two approaches to InfoSec

2. Top-Down Approach (Info-Sec)

 Initiated by upper management
- Issue policy, procedures, and processes
- Dictate goals and expected outcomes of project
- Determine accountability for each required action|

The most successful also involve formal development strategy referred

to as systems development life cycle (SDLC)
Approaches to Information Security Implementation
 Security Professionals & the organisation
 Wide range of professionals required to support a diverse
information security program
 Senior management is key component
 Additional administrative support and technical expertise are
required to implement details of InfoSec program
 Senior Management

Chief Information Officer (CIO)

- Senior technology officer
- Primarily responsible for advising senior executives on strategic
planning

Chief Information Security Officer (CISO)

- Primarily responsible for assessment, management, and
implementation of IS in the organisation
- Usually reports directly to the CIO
 Information Security Project Team

A number of individuals who are experienced in one or more facets of required

technical and nontechnical areas:
- Champion
- Team leader
- Security policy developers
- Risk assessment specialists
- Security professionals
- Systems administrators
- End users
 Communities of Interest

Group of individuals united by similar interests/values within

an organisation

- Information security management and professionals

- Information technology management and professionals
- organisational management and professionals
 Data Responsibilities

• Data owner: responsible for the security and use of a particular set of
information

• Data custodian: responsible for storage, maintenance, and protection

of information

• Data users: end users who work with information to perform their
daily jobs supporting the mission of the organisation
 Information Security: Art or Science?

 Implementation of information security often described as

combination of both art and science

 “Security artesan” idea: based on the way individuals perceive

systems technologists since computers became common place
 Security as Art and a Science

Security as an Art
 No hard and fast rules nor many universally accepted complete solutions
 No manual for implementing security through entire system

Security as science
 Dealing with technology designed to operate at high levels of performance
 Specific conditions cause virtually all actions that occur in computer systems
 Nearly every fault, security hole, and systems malfunction are a result of
interaction of specific hardware and software
 Summary

 Information security is a “well-informed sense of assurance that the information risks and
controls are in balance” It aims to achieve CIA of information whether in storage, transmission
or processing
 Information security is the protection of information assets that use, store, or transmit
information through the application of policy, education, and technology
 Computer security began immediately after first mainframes were developed and is now
considered a subset of Information Security
 There are many types of security: physical, personal, operations, communications, network and
national security – to name a few
 Critical characteristics of information security include confidentiality, integrity, availability (CIA
triad) that must be protected at all times.
 Summary

 Technology, Education and Policy are methods used to protect the

confidentiality, integrity and availability of information.
 Successful organisations have multiple layers of security in place: including,
physical, personal, operations, communications, network, and information
 Security should be considered a balance between protection and availability
 Implementation of information security often described as a combination of art
and science
 The value of information comes from the characteristics it possesses
 Two approaches to information security, bottom-up and top-down. The top-down
approach is the preferred and most successful approach.
 What’s Next

Tutorial
Activity 1: Footprinting and Web Reconnaissance
Activity 2: CNSS Security Model (CIA)
Required reading

Next Week
The Need for Security and Threats to Information Security