Chapter-1

(Lecturer 1 and 2)

Introduction to Information
Security

Dr. Muhammad Khalil Afzal

Department of Computer Science
Associate Professor
CUI, Wah
 Welcome
• Syllabus overview
• Introduction – instructor, class
• Question
• Can you recall any example you were involved related to
computer security (e.g., receiving phishing email, your
computer got viruses)?
• Have you thought of practices, policies for prevention?

Chapter-1 Introduction to Information Security 2

 Outline of Lecture
• Introduction and History of • The Systems Development
Information Security Life Cycle
• What Is Security? • The Security Systems
• CNSS Security Model Development Life Cycle
• Components of an • Security Professionals and the
Information System Organization
• Balancing Information • Communities of Interest
Security and Access • Information Security: Is it an
• Approaches to Information Art or a Science?
Security Implementation
Chapter-1 Introduction to Information Security 3
 Learning Objectives
• Understand the definition of information security
• Comprehend the history of computer security and how
it evolved into information security

Chapter-1 Introduction to Information Security 4

Introduction

• Information security: a “well-informed sense of assurance that the

information risks and controls are in balance.” —Jim Anderson,
Inovant (2002)

Chapter-1 Introduction to Information Security 5

The History of Information Security
• Began immediately after the first mainframes were developed
• Groups developing code-breaking computations during World War
II created the first modern computers
• Physical controls to limit access to sensitive military locations to
authorized personnel
• Rudimentary in defending against physical theft, espionage, and
sabotage

Chapter-1 Introduction to Information Security 6

The 1960s
• Advanced Research Procurement Agency (ARPA) began to
examine feasibility of redundant networked communications

• Larry Roberts developed ARPANET from its inception

Chapter-1 Introduction to Information Security 7

The 1970s and 80s
• ARPANET grew in popularity as did its potential for misuse
• Fundamental problems with ARPANET security were identified
• No safety procedures for dial-up connections to ARPANET
• Non-existent user identification and authorization to system
• Late 1970s: microprocessor expanded computing capabilities
and security threats

Chapter-1 Introduction to Information Security 8

R-609
• Information security began with Rand Report R-609 (paper that started the study
of computer security)

• R-609: The First Information Security Document

• R-609 was a seminal document in the history of information security, developed
in 1967 by the Advanced Research Projects Agency (ARPA). It is considered one of
the earliest formal studies on computer security, laying the groundwork for
modern cybersecurity practices.
• Scope of computer security grew from physical security to include:
• Safety of data
• Limiting unauthorized access to data
• Involvement of personnel from multiple levels of an organization
Chapter-1 Introduction to Information Security 9
Key Aspect of R-609
1. Purpose:
1. Address the security risks in early computer networks, particularly in time-sharing systems.
2. Identify and mitigate vulnerabilities in government and military computer systems.
2. Main Security Concerns Identified:
1. Unauthorized access to classified data.
2. Data integrity and protection against tampering.
3. Availability of computer systems to authorized users.
3. Influence on the CIA Triad:
1. The R-609 report emphasized three key principles that later became the CIA Triad:
1. Confidentiality (protecting sensitive data).
2. Integrity (ensuring accuracy and trustworthiness of data).
3. Availability (ensuring systems are accessible when needed).
4. Impact on Modern Cybersecurity:
1. Inspired the development of formal security policies.
2. Influenced government security standards like the Orange Book (TCSEC).
3. Laid the foundation for network security, encryption, and access control mechanisms.
Chapter-1 Introduction to Information Security 10
The 1990s
• Networks of computers became more common; so too did
the need to interconnect networks

• Internet became first manifestation of a global network of

networks

• In early Internet deployments, security was treated as a low

priority

Chapter-1 Introduction to Information Security 11

 The Present
• The Internet brings millions of computer networks into
communication with each other—many of them unsecured

• Ability to secure a computer’s data influenced by the security of

every computer to which it is connected

Chapter-1 Introduction to Information Security 12

 What is Security?
• “The quality or state of being secure—to be free from danger”
• A successful organization should have multiple layers of security in
place:
• Physical security
• Personal security
• Operations security
• Communications security
• Network security
• Information security

Chapter-1 Introduction to Information Security 13

What is Information Security?
• The protection of information and its critical elements, including
systems and hardware that use, store, and transmit that information
• Necessary tools: policy, awareness, training, education, technology
• C.I.A. triangle was standard based on confidentiality, integrity, and
availability
• C.I.A. triangle now expanded into list of critical characteristics of
information

Chapter-1 Introduction to Information Security 14

Chapter-1 Introduction to Information Security 15
Critical Characteristics of
Information
• The value of information comes from the
characteristics it possesses:
• Availability
• Accuracy
• Authenticity
• Confidentiality
• Integrity
• Utility
• Possession

Chapter-1 Introduction to Information Security 16

 NSTISSC Security Model
Figure 1-4 – NSTISSC Security Model

Chapter-1 Introduction to Information Security 17

Components of an Information
System
• Information System (IS) is entire set of software,
hardware, data, people, procedures, and networks
necessary to use information as a resource in the
organization

Chapter-1 Introduction to Information Security 18

Securing Components
• Computer can be subject of an attack and/or the
object of an attack
• When the subject of an attack, computer is used as
an active tool to conduct attack

• When the object of an attack, computer is the entity

being attacked

Chapter-1 Introduction to Information Security 19

Figure 1-5 – Subject and Object of
Attack

Chapter-1 Introduction to Information Security 20

Balancing Information Security and Access
• Impossible to obtain perfect security—it is a process,
not an absolute

• Security should be considered balance between

protection and availability

• To achieve balance, level of security must allow

reasonable access, yet protect against threats

Chapter-1 Introduction to Information Security 21

Figure 1-6 – Balancing Security and
Access

Chapter-1 Introduction to Information Security 22