NTW600 - Computer Network and

Security
Week 1: Introduction to Cybersecurity

Whitman, M.E. and Mattord, H.J., 2021. Principles of information security. Cengage learning.
Assessments

2
Learning Resources

• Text Book: Whitman, M.E. and Mattord, H.J., 2021. Principles of information
security. Cengage learning.

• Cybersecurity and Infrastructure Security Agency (CISA) – CISA:

https://www.cisa.gov/

• National Institute of Standards and Technology (NIST) – NIST:

https://www.nist.gov/

• Cybersecurity Ventures: https://cybersecurityventures.com/

3
Academic Integrity

• You must take responsibility for ensuring at all times that you follow appropriate academic
practices, particularly when it comes to preparing assessment items.

• Do not put yourselves at risk of an allegation of misconduct such as cheating or plagiarism.

• Plagiarism is unacceptable as it is contrary to the principle that students must present their
own assessment.

• It is not permissible to copy ideas, phrases, paragraphs, formulas, methods, evidence,

programming code or diagrams without correctly referencing the source

4
Objectives:

• Discuss basic concepts related to Cyber Security.

• Describe the common vulnerabilities and potential threats.

• Analyse and evaluate key security implementation strategies.

• Analyse various secure software development approaches.

5
The History of Information Security

First
mainfram ARPANET Informa
1960
1950 e Develope 1983 tion
s
computer d Security
produced

Informa IoT
Enterpris Security
tion
e 2010
1988 System 1995
Protectio s Wearabl
s n e
Security Security

6
Illustration of Computer Network
Vulnerabilities

7
 What is Security?

• “A state of being secure and free from danger or harm; the

actions taken to make someone or something secure.”

• A successful organisation should have multiple layers of security

in place to protect:

Physical
Operations People Functions Communicatio Information
Infrastructure
n

8
C.I.A Triad & Components of Information Security

9
C.I.A Triad & Components of Information Security

10
C.I.A Triad & Components of Information Security

Layer Description

Products Form the security around the data. May be as basic as

door locks or as complicated as network security
equipment.

People Those who implement and properly use security

products to protect data.

Policies and procedures Plans and policies established by an enterprise to

ensure that people correctly use the products.

11
C.I.A Triad & Components of Information Security

12
C.I.A Triad & Components of Information Security

• Vulnerability

• Flaw or weakness that allows a threat agent to bypass security

• Threat vector

• The means by which an attack can occur

• Risk

• A situation that involves exposure to some type of danger

• Risk response techniques:

• Accept – risk is acknowledged but no steps are taken to address it

• Transfer – transfer risk to a third party

• Avoid – identifying risk but making the decision to not engage in the activity

• Mitigate – attempt to address risk by making the risk less serious

13
C.I.A Triad & Components of Information Security

Term Example in Scooter scenario Example in information security

Asset Scooter Employee database

Threat Steal scooter Steal data

Threat actor Thief Attacker, hurricane

Vulnerability Hole in fence Software defect

Attack vector Climb through hole in fence Access web server passwords through
flaw in operating system

Likelihood Probability of scooter stolen Likelihood of virus infection

Risk Stolen scooter Virus infection or stolen data

14
C.I.A Triad & Components of Information Security

15
 Key Cyber Security Concepts

Access Asset Attack Threat Threat

Threat
agent event

Contro Exposu Protecti

Exploit Loss on Risk
l re Vulnerabil
profile
ity

Threat
source

16
Critical Characteristics of Information

Availability Accuracy Authenticity Confidentiality

Integrity Utility Possession

17
Critical Characteristics of Information cont.

The McCumber Cube

18
Components of an Information System
• Information Systems are the entire set of people,
procedures, and technology that enable the
business to use information.

Software Hardware Data

People Procedures Networks

19
 Security Professionals and the Organization

• Wide range of professionals are required to support a diverse

Information Security program.

• Senior management is the key component.

• Chief Information Officer (CIO)

• Chief Information Security Officer (CISO)

• Additional administrative support and technical expertise are

required to implement the details of the Information Security
program.

20
Senior Management

• Chief Information Officer (CIO):

• Senior technology officer

• Primarily responsible for advising the senior executives on

strategic planning.

• Chief Information Security Officer (CISO):

• Has primary responsibility for assessment, management,

and implementation of Information Systems in the
organisation

• Usually reports directly to the CIO.

21
 Data Responsibilities

• Data Owners: Senior management responsible for the

security and use of a particular set of information.

• Data Custodians: Responsible for the information and

systems that process, transmit, and store it.

• Data Users: Individuals with an information security role.

22
Data Responsibilities

23
 Information Security Project Team
• A small functional team of people who are experienced in one or
multiple facets of required technical and nontechnical areas:

• Champion

• Team leader

• Security policy developers

• Risk assessment specialists

• Security professionals

• Systems administrators

• End users.
24
 Balancing Information Security and Access

• Security should be
considered a balance
between protection and
availability.

• To achieve balance, the

level of security must
allow reasonable access,
yet protect against
threats.

25
 Class Activity One - Time Allowed: 20 min

• This is an in-class activity.

• Each student will present his/her work to the class.

• Using the internet, find out about one of the latest Cyber
Security attacks and report on the following:

• Identify and discuss various elements related to the attack

such as vulnerability, asset, loss, threat agent etc.
• Identify and discuss critical characteristics of information
that got compromised such as availability, integrity,
confidentiality
• Identify and discuss the components of Information
Systems that got compromised such as software,
hardware, data, and people.
26
Approaches to Information Security Implementation

27
Security in the Systems Development Life Cycle (SDLC)

SDLC Waterfall Methodology

28
Security in the SDLC

National Institute of Standards and Technology (NIST)

Approach
1. Initiation

2. Development/Acquisition

3. Implementation/Assessment

4. Operation/Maintenance

5. Disposal

29
 Security in SDLC cont.

Phase 1
Initiation

30
 Security in SDLC cont.

Phase 2
Development

31
 Security in SDLC cont.

Phase 3
Implementati
on

32
Security in SDLC cont.

Phase 4
Operation

33
Security in SDLC cont.

Phase 5
Disposal

34
Class Activity Two - Time Allowed: 20 min

• This is an in-class activity.

• Each student will present his/her work to the class.

• You are hired as a security consultant by XYZ hospital to

protect their ICT infrastructure from various vulnerabilities and
threats:

• You have to analyze and evaluate the suitability of the two

key security implementation approaches (i.e. Top-down
and Bottom-up) for the XYZ hospital.

• Recommend one approach for the hospital by giving at

least three appropriate reasons.
35
Review: What Did We Learn Today?

• Computer security began immediately after the first

mainframes were developed.

• Successful organisations have multiple layers of security in

place: physical, personal, operations, communications,
network, and information.

• Security should be considered a balance between protection

and availability.

• Information security must be managed similar to any major

system implemented in an organisation using a methodology
like the SDLC.

36
Next Week – What’s Coming Up?

1. Need and importance of security for organisations.

2. Various categories of threats to information security.

3. Common security vulnerabilities and attacks.

4. Security failures in software development.

Suggested Reading:

• Textbook Chapter 2

• Jouini, M, Rabai, L & Aissa, A, 2014. ‘Classification of Security

Threats in Information Systems’. Procedia Computer Science, vol.
32, pp.489-496.
37