TOPIC 1 INTRODUCTION TO INFORMATION SECURITY Reference Principles of Information Security
HISTORY OF INFORMATION SECURITY Computer security has been around since the days of the mainframe Need to secure the physical location of hardware from outside threats With World War II, security actually began Access to classified information was limited to those authorized by badges, keys, background checks, and face recognition.
HISTORY OF INFORMATION SECURITY Operating systems provided no security during these times Information security was mainly composed of simple document classification schemes The primary security concern was equipment theft, espionage (間諜活動) against products of the systems and sabotage (破壞活動)
HISTORY OF INFORMATION SECURITY 1970s and 1980s – ARPANET grew into use and so did its misuse. Potential security problems: Sites did not have protection from others accessing remotely Vulnerability of passwords No safety procedures for dial-up connections to ARPANET User identification to access the system did not exist
HISTORY OF INFORMATION SECURITY The Rand Report R-609, which was sponsored by the DoD Identify the role of management and policy issues in computer security Expand the scope of computer security to not only include physical security but also: Safety of the data Limiting access to data Involvement of all personnel from all levels of the organization.
HISTORY OF INFORMATION SECURITY 1990s – As networks became more common, connecting was a must, and connecting to the Internet was high in demand The Internet brought connectivity to all computers that could connect to a phone line or LAN The first connections to the Internet were based on de facto standards that did not consider the security issues involved Security used to be a low priority
HISTORY OF INFORMATION SECURITY Today, the Internet has brought millions of unsecured networks into communication with each other The ability for an individual to secure information on a computer relies on how good the overall network security is that the computer is connected to If an outsider has access to the inside network, it would not take long to access an individual node on that network Computer security has evolved into a component of a complex, multifaceted environment now defined as Information Security
WHAT IS SECURITY? A successful organization should have multiple layers of security in place: Physical security Personal security Operations security Communications security Network security Information security
WHAT IS INFORMATION SECURITY? The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information Necessary tools: policy, awareness, training, education, technology C.I.A. triangle was standard based on confidentiality, integrity, and availability C.I.A. triangle now expanded into list of critical characteristics of information
WHAT IS INFORMATION SECURITY?
CRITICAL CHARACTERISTICS OF INFORMATION Availability – Authorized only users have access to information when and where needed as well as the data needs to in the correct format Accuracy – Accurate, valid. Wrong data is worse than no data Authenticity – State of being original or genuine rather than a copy or fabrication Confidentiality (privacy) - Only those with the rights or privileges access it
CRITICAL CHARACTERISTICS OF INFORMATION Integrity – Quality, completeness, or state of the data (uncorrupted) Utility - Purpose or usability of the data or information Possession - Having ownership or control of information A breach of confidentiality always results in a breach of possession But a breach of possession does not always result in a breach of confidentiality. Example - Someone steals a tape backup containing encrypted data. The theft is a breach of possession, but since the data is encrypted, the data will remain confidential (until the code is broken).
COMPONENTS OF AN INFORMATION SYSTEM Software – System software and application software. Hardest to secure Hardware – Physical components (assets) of the information system Data – The main object of intentional attempted attacks People – Security is a people problem. People are the weakest link when it comes to security. More inside theft/security breaches occur than outside. It takes policy, education, training, technology, and awareness to strengthen the weakest link.
COMPONENTS OF AN INFORMATION SYSTEM Procedures – Written instructions used to accomplish a task. If an unauthorized person acquires procedures, that can be a security breach. Procedures should be distributed on a need-to-know basis. Networks – Most networks are connected to the Internet. Steps to make networks secure is very demanding and definitely essential.
Direct Attack/Indirect Attack Computer can be subject of an attack and/or the object of an attack. When the subject of an attack, computer is used as an active tool to conduct attack. When the object of an attack, computer is the entity being attacked.
Security Versus Access Impossible to obtain perfect security. it is a process, not an absolute. Security should be considered balance between protection and availability. To achieve balance, level of security must allow reasonable access, yet protect against threats.
Security Versus Access
Approaches to Information Security Implementation Bottom-Up Approach Grassroots effort: systems administrators attempt to improve security of their systems Key advantage: technical expertise of individual administrators Seldom works, as it lacks a number of critical features: Participant support Organizational staying power
Approaches to Information Security Implementation Top-Down Approach Initiated by upper management Issue policy, procedures and processes Dictate goals and expected outcomes of project Determine accountability for each required action The most successful also involve formal development strategy referred to as systems development life cycle
SYSTEMS DEVELOPMENT LIFE CYCLE Systems development life cycle (SDLC) is methodology and design for implementation of information security within an organization Methodology is formal approach to problem-solving based on structured sequence of procedures Using a methodology ensures a rigorous process avoids missing steps Goal is creating a comprehensive security posture/program
SYSTEMS DEVELOPMENT LIFE CYCLE
INVESTIGATION What problem is the system being developed to solve? Objectives, constraints and scope of project are specified Preliminary cost-benefit analysis is developed At the end, feasibility analysis is performed to assesses economic, technical, and behavioral feasibilities of the process
ANALYSIS Consists of assessments of the organization, status of current systems, and capability to support proposed systems Analysts determine what new system is expected to do and how it will interact with existing systems Ends with documentation of findings and update of feasibility analysis
LOGICAL DESIGN Main factor is business need; applications capable of providing needed services are selected Data support and structures capable of providing the needed inputs are identified Technologies to implement physical solution are determined Feasibility analysis performed at the end
PHYSICAL DESIGN Technologies to support the alternatives identified and evaluated in the logical design are selected Components evaluated on make-or-buy decision Feasibility analysis performed; entire solution presented to end-user representatives for approval
IMPLEMENTATION Needed software created; components ordered, received, assembled, and tested Users trained and documentation created Feasibility analysis prepared; users presented with system for performance review and acceptance test
MAINTENANCE AND CHANGE Consists of tasks necessary to support and modify system for remainder of its useful life Life cycle continues until the process begins again from the investigation phase When current system can no longer support the organization’s mission, a new project is implemented
Security SDLC The same phases used in traditional SDLC may be adapted to support specialized implementation of an IS project Identification of specific threats and creating controls to counter them
Security SDLC Phase 1: Investigation Phase 2: Analysis Management defines project processes and goals and documents these in the program security policy Phase 2: Analysis Analyze existing security policies and programs Analyze current threats and controls Examine legal issues Perform risk analysis
Security SDLC Phase 3: Logical Design Phase 4: Physical Design Develop security blueprint Plan incident response actions Plan business response to disaster Determine feasibility of continuing and/or outsourcing the project Phase 4: Physical Design Select technologies needed to support security blueprint Develop definition of successful solution Design physical security measures to support technological solutions Review the approval project
Security SDLC Phase 5: Implementation Phase 6: Maintenance Buy or develop security solutions At end of phase, present tested package to management for approval Phase 6: Maintenance Constantly monitor, test, modify, update, and repair to meet changing threats
INFORMATION SECURITY IS IT AN ART OR A SCIENCE? Implementation of information security often described as combination of art and science Security as Art No hard and fast rules nor many universally accepted complete solutions No manual for implementing security through entire system
INFORMATION SECURITY IS IT AN ART OR A SCIENCE? Security as Science Dealing with technology designed to perform at high levels of performance Specific conditions cause virtually all actions that occur in computer systems Nearly every fault, security hole, and systems malfunction a result of interaction of specific hardware and software If developers had sufficient time, they could resolve and eliminate faults
Information Security terms and concepts Asset – Organization resource being protected Exploit – A technique used to compromise a system Exposure – A condition or state of being exposed. When a vulnerability known to an attacker is present. Risk – The probability that something unwanted will happen Threat – A category of objects, persons or other entities that presents a danger to asset Threat agent – The specific instance or component of a threat
SUMMARY Security should be considered a balance between protection and availability Information security must be managed similar to any major system implemented in an organization using a methodology like Security SDLC Implementation of information security often described as a combination of art and science
Readings The CIA Triad Building Security Into The Software Life Cycle http://www.techrepublic.com/blog/security/the-cia-triad/488 Building Security Into The Software Life Cycle http://www.blackhat.com/presentations/bh-usa-06/bh-us-06-Morana-R3.0.pdf Rethinking Information Security to Improve Business Agility http://www.intel.com/content/www/us/en/enterprise-security/intel-it-enterprise-security-rethinking-information-security-to-improve-business-agility-paper.html