First Meet

MISS 1101: Introduction to Information Security

Instructor
Abu Sayed Md. Mostafizur Rahaman, PhD
Professor
Department of Computer Science and Engineering
Jahangirnagar University
Textbooks

Sixth Edition
2 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD
Google class
• Class code: kimny67

• It contains
– Lecture Materials
– Schedule Updates
– Additional resources
– Etc

3 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Topics Covered Throughout the Course

Module 5 Incident Module 6 Legal, Ethical,

Module 1 Introduction to Module 2 The Need for Module 3 Information Module 4 Risk
Response and and Professional Issues in
Information Security Information Security Security Management Management
Contingency Planning Information Security

Module 9 Security
Module 8 Security
Technology: Intrusion
Module 7 Security and Technology: Access Module 11 Implementing Module 12 Information
Detection and Prevention Module 10 Cryptography
Personnel Controls, Firewalls, and Information Security Security Maintenance
Systems and Other Security
VPNs
Tools

4 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

In course Exam Schedule
Week (According to
Description Remarks
Academic Calendar)
CT 01 Week 4
CT 02 Week 07 Group Submission for Presentation
through
Group Distribution for Presentation Week 08
CT 03 Week 11
CT 04 Week 16
Presentation 01 Week 16
Presentation 02 Week 17

5 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Lecture 1: Information Security

Discuss the history of computer

security and explain how it
Define information security
evolved into information
security

Define key terms and critical Describe the information

concepts of information security roles of professionals
security within an organization

6 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

The History of Information Security

Groups developing code-breaking computations during

Computer security began immediately after World War II created the first modern computers.
the first mainframes were developed Multiple levels of security were implemented.

Physical controls limiting access to sensitive military locations to authorized personnel

Primarily in defending against physical theft, espionage, and sabotage

7 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Table 1-1 Key Dates in Information Security (1 of 2)

Date Document

1968 Maurice Wilkes discusses password security in Time - Sharing Computer Systems.

1970 Willis H. Ware author the report Security Controls for Computer Systems: Report of Defense Science Board
Task Force on Computer Security—RAND R.609 which was not declassified until 1979. It became known as
the seminal work identifying the need for computer Security.

1973 Schell, Downey, and Popek examine the need for additional security in military systems in Preliminary Notes
on the Design of Secure Military Computer Systems.
1975 The Federal Information Processing Standards (FIPS) examines DES (Digital Encryption Standard) In the
Federal Register.
1978 Bisbey and Hollingsworth publish their study “Protection Analysis: Final Report,” which discussed the
Protection Analysis project created by ARPA to better understand the vulnerabilities of operating system
security and examine the possibility of automated vulnerability detection techniques in existing system
software.

8 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Table 1-1 Key Dates in Information Security (2 of 2)
Date Document

1979 Dennis Ritchie publishes “On the Security of UNIX” and “Protection of Data File Contents,” which discussed secure user IDs,
secure group IDs, and the problems inherent in the systems.

1982 The US. Department of Defense Computer Security Evaluation Center published the first version of the Trusted Computer Security
(TCSEC) documents, which came to be known as the Rainbow Series.

1982 Grampp and Morris write “The UNIX System: UNIX Operating System Security.” In this report the authors examined four
“important handles to computer security”: physical control of primes and computer facilities, management commitment to security
objectives, education of employees, and administrative procedures aimed at increased security.

1984 Reeds and Weinberger publish “File Security and the UNIX System Crypt Command.” Their premise was: “No technique can be
secure against wiretapping or is equivalent on the computer. Therefore no technique can be secure against the system administrator
or other privileged users... the naive user have no chance.”
1992 Researchers for the Internet Engineering Task force, working at the Naval Research Laboratory, develop the Simple Internet
Protocol Plus (SIPP) Security protocols, creating what is now known as IPSEC security.

9 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Figure 1-4 Illustration of computer network vulnerabilities from RAND Report
R-609

10 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

2000 to Present

• The Internet brings millions of unsecured computer networks into

continuous communication with each other.
• The ability to secure a computer’s data was influenced by the security of
every computer to which it is connected.
• Growing threat of cyber attacks has increased the awareness of need for
improved security.
– Nation-states engaging in information warfare

11 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

What Is Security? (1 of 2)
• “A state of being secure and free from danger or harm; the actions taken to make
someone or something secure.”
• A successful organization should have multiple layers of security in place to protect:
– Operations
– Physical infrastructure
– People
– Functions
– Communications
– Information

12 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

What Is Security? (2 of 2)
• Information Security: The protection of information and its critical elements, including
systems and hardware that use, store, and transmit that information
– Includes information security management, data security, and network security
• C.I.A. triad
– Is a standard based on confidentiality, integrity, and availability, now viewed as inadequate.
– Expanded model consists of a list of critical characteristics of information.

13 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Figure 1-5 Components of information security (1 of 2)

14 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Figure 1-5 The C.I.A. triad (2 of 2)

15 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Key Information of Security Concepts (1 of 2)

Control, safeguard,
Access Asset Attack
or countermeasure

Protection profile or
Exploit Exposure Loss
security posture

16 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Key Information of Security Concepts (2 of 2)

Subjects and
Risk objects of Threat Threat agent
attack

Threat event Threat source Vulnerability

17 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Critical Characteristics of Information

• The value of information comes from the characteristics it possesses:

• Availability: enables authorized users—people or computer systems—to access information without interference or
obstruction and to receive it in the required format.
• Accuracy: Free from mistake or error and having the value that the end user expects
• Authenticity: The quality or state of being genuine or original, rather than a reproduction or fabrication
• Confidentiality: ensures that only users with the rights, privileges, and need to access information can do so.
• Integrity: when it is in its expected state and can be trusted
• Utility: Information has value when it serves a particular purpose. This means that if information is
available, but not in a format meaningful to the end user, it is not useful.
• Possession: Information is said to be in possession if one obtains it, independent of format or another
characteristic. While a breach of confidentiality always results in a breach of possession, a breach of
possession does not always result in a breach of confidentiality.

18 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

CNSS Security Model

The McCumber Cube

19 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Components of an Information System

• Information system (IS) is the entire set of people, procedures, and

technology that enable business to use information.
– Software
– Hardware
– Data
– People
– Procedures
– Networks

20 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Security And The Organization
• Security has to begin somewhere in the organization, and it takes a wide range of professionals to support
a diverse information security program.
• The following sections discuss the development of security as a program and then describe typical
information security responsibilities of various professional roles in an organization.
– Balancing Information Security and Access
– Approaches to Information Security Implementation
– Security Professionals
– Data Responsibilities
– Communities of Interest

21 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Balancing Information Security and Access

Impossible to obtain perfect information security—it is a process, not a goal.

Security should be considered a balance between protection and availability.

To achieve balance, the level of security must allow reasonable access, yet
protect against threats.

22 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Approaches to Information Security Implementation: Bottom-Up
Approach

Grassroots effort: Systems administrators attempt to improve security of

their systems.

Key advantage: technical expertise of individual administrators

Seldom works, as it lacks a number of Participant support

critical features: Organizational staying power

23 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Approaches to Information Security Implementation: Top-Down
Approach

Issue policy, procedures, and processes

Initiated by upper management Dictate goals and expected outcomes of project
Determine accountability for each required action

The most successful type of top-down approach also involves a formal

development strategy referred to as systems development life cycle.

24 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Figure 1-12 Approaches to information security
implementation

25 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Security in the Systems Development Life Cycle

Systems development life cycle (SDLC): a methodology for the design and
implementation of an information system

Methodology: a formal approach to solving a problem based on a structured

sequence of procedures

Ensures a rigorous process with a clearly defined

Using a methodology: goal
Increases probability of success

26 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Figure 1-13 SDLC waterfall methodology

27 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Investigation

What problem is the system being developed to solve?

Objectives, constraints, and scope of project are specified.

Preliminary cost-benefit analysis is developed.

At the end of all phases, a process is undertaken to assess economic, technical, and behavioral feasibilities
and ensure implementation is worth the time and effort.

28 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Analysis

The organization
Consists of assessments of: Current systems
Capability to support proposed systems

Analysts determine what the new system is expected to do and how it will
interact with existing systems.

Analysis ends with documentation of findings and an update of feasibility.

29 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Logical Design

The first and driving factor is the business need. Applications are selected to provide needed services.

Data support and structures capable of providing the needed inputs are identified.

Specific technologies are delineated to implement the physical solution.

Analysts generate estimates of costs and benefits to allow comparison of available options.

Feasibility analysis is performed at the end.

30 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Physical Design

Specific technologies are selected to support the alternatives identified and evaluated in the
logical design.

Selected components are evaluated on make-or-buy decision.

Feasibility analysis is performed.

Entire solution is presented to organization’s management for approval.

31 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Implementation

Needed software is created.

Components are ordered, received, and tested.

Users are trained and supporting documentation created.

Sponsors are presented with the system for a

Feasibility analysis is prepared. performance review and acceptance test.

32 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Maintenance and Change

Longest and most expensive phase

Consists of the tasks necessary to support and modify the system for the remainder of its
useful life

Life cycle continues until the team determines the process should begin again from the
investigation phase

When current system can no longer support the organization’s mission, a new project is
implemented

33 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Software Assurance (1 of 3)

Many organizations recognize the need to include

Established procedures to create software that is more capable
planning for security objectives in the SDLC used to of being deployed in a secure fashion
create systems.

This approach is known as software assurance (SA).

A national effort is under way to create a common body of knowledge focused on secure software
development.

34 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Software Assurance (2 of 3)

U.S. Department of Defense and Department of Homeland Security supported the Software
Assurance Initiative, which resulted in the publication of Secure Software Assurance (SwA)
Common Body of Knowledge (CBK).

SwA CBK serves as a strongly recommended guide to developing more secure applications.

Nature of Dangers
SwA CBK, which is a work in progress, contains Fundamental Concepts and Principles
the following sections: Ethics, Law, and Governance

35 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Software Assurance (3 of 3)

– Secure Software Requirements

– Secure Software Design
– Secure Software Construction
– Secure Software Verification, Validation, and Evaluation
– Secure Software Tools and Methods
– Secure Software Processes
– Secure Software Project Management
– Acquisition of Secure Software
– Secure Software Sustainment

36 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Security Professionals and the Organization

Wide range of professionals are required to support a diverse

information security program.

Senior management is the key component.

Additional administrative support and technical expertise are required to

implement details of the IS program.

37 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Senior Management

Chief information officer (CIO)

• Senior technology officer

• Primarily responsible for advising the senior executives on strategic
planning

Chief information security officer (CISO)

• Has primary responsibility for assessment, management, and

implementation of IS in the organization
• Usually reports directly to the CIO

38 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Information Security Project Team

• A small functional team of people who are experienced in one or multiple

facets of required technical and nontechnical areas:
– Champion
– Team leader
– Security policy developers
– Risk assessment specialists
– Security professionals
– Systems administrators
– End users

39 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Data Responsibilities

Data owners: senior management responsible for the security and use of a particular set of
information

Data custodians: responsible for the information and systems that process, transmit, and
store it

Data trustees: are individuals appointed by data owners to oversee the management of a particular set of
information and to coordinate with data custodians for its storage, protection, and use

Data users: individuals with an information security role

40 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Communities of Interest

• Group of individuals united by similar interests/values within an

organization
– Information security management and professionals
– Information technology management and professionals
– Organizational management and professionals

41 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Information Security: Is It an Art or a Science?

Implementation of information security is often described as a combination

of art and science.

“Security artisan” idea: based on the way individuals perceive system

technologists and their abilities.

42 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Security as Art

No hard and fast rules nor many

universally accepted complete solutions

No manual for implementing security

through entire system

43 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Security as Science

Dealing with technology designed for rigorous performance levels.

Specific conditions cause virtually all actions in computer systems.

Almost every fault, security hole, and systems malfunction is a result of interaction of
specific hardware and software.

If developers had sufficient time, they could resolve and eliminate faults.

44 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD

Security as a Social Science

Social science examines the behavior of individuals interacting with

systems.

Security begins and ends with the people that interact with the
system, intentionally or otherwise.

Security administrators can greatly reduce the levels of risk caused by

end users and create more acceptable and supportable security
profiles.
45 Introduction to Information Security, Abu Sayed Md. Mostafizur Rahaman, PhD