CS2216 – PRINCIPLES OF COMPUTER AND NETWORK SECURITY WEEK 1: INFORMATION SECURITY OVERVIEW

Security Definition In general, security is defined as “the quality or state of being secure—to be free from danger.” Security is often achieved by means of several strategies usually undertaken simultaneously or used in combination with one another.

Specialized areas of security Physical security, which encompasses strategies to protect people, physical assets, and the workplace from various threats including fire, unauthorized access, or natural disasters Personal security, which overlaps with physical security in the protection of the people within the organization Operations security, which focuses on securing the organization’s ability to carry out its operational activities without interruption or compromise

cont Communications security, which encompasses the protection of an organization’s communications media, technology, and content, and its ability to use these tools to achieve the organization’s objectives Network security, which addresses the protection of an organization’s data networking devices, connections, and contents, and the ability to use that network to accomplish the organization’s data communication functions Information security includes the broad areas of information security management, computer and data security, and network security.

What is information security? Information security is defined by British Standard Institute as “preservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved”

Properties of information security Confidentiality means that information is disclosed to an authorised user. Integrity means information is not modified by an unauthorised user. Availability means information is available when required to an authorised user.

cont Authenticity means a user attempting to access the information is in fact the user to whom the level of access belongs. Accountability means the user is responsible to the safeguarding of the information the user accesses. Non-repudiation means a sender of information cannot denies having sent the information. Reliability means information is being consistently processed according to its design.

CIA Triangle The C.I.A. triangle - confidentiality, integrity, and availability - has expanded into a more comprehensive list of critical characteristics of information. C.I.A. triangle sometimes is called the pillars of information security.

CIA - Triangle INTEGRITY CONFIDENTIALITY AVAILABILITY

Commercial Example Confidentiality —An employee should not come to know the salary of his manager Integrity —An employee should not be able to modify the employee's own salary Availability —Paychecks should be printed on time as stipulated by law

Military Example Confidentiality —The target coordinates of a missile should not be improperly disclosed Integrity —The target coordinates of a missile should not be improperly modified Availability —When the proper command is issued the missile should fire

Security Trends 2015 Cybercriminals are becoming more sophisticated and collaborative with every coming year. To combat the threat in 2015, information security professionals must understand these five trends:

1. Cybercrime

cont The Internet is an increasingly attractive hunting ground for criminals, activists and terrorists motivated to make money, get noticed, cause disruption or even bring down corporations and governments through online attacks. Today's cybercriminals primarily operate out of the former Soviet states. They are highly skilled and equipped with very modern tools — they often use 21st century tools to take on 20th century systems.

cont In 2015, organizations must be prepared for the unpredictable so they have the resilience to withstand unforeseen, high impact events. "Cybercrime, along with the increase in online causes (hacktivism), the increase in cost of compliance to deal with the uptick in regulatory requirements coupled with the relentless advances in technology against a backdrop of under investment in security departments, can all combine to cause the perfect threat storm.

cont Organizations that identify what the business relies on most will be well placed to quantify the business case to invest in resilience, therefore minimizing the impact of the unforeseen."

2. Privacy and Regulation Most governments have already created, or are in the process of creating, regulations that impose conditions on the safeguard and use of Personally Identifiable Information (PII), with penalties for organizations that fail to sufficiently protect it. As a result, organizations need to treat privacy as both a compliance and business risk issue, in order to reduce regulatory sanctions and business costs such as reputational damage and loss of customers due to privacy breaches.

cont The patchwork nature of regulation around the world is likely to become an increasing burden on organizations in 2015. Organizations should look upon the EU's struggles with data breach regulation and privacy regulation as a temperature gauge and plan accordingly.

3. Threats From Third-Party Providers Supply chains are a vital component of every organization's global business operations and the backbone of today's global economy. However, security chiefs everywhere are growing more concerned about how open they are to numerous risk factors. A range of valuable and sensitive information is often shared with suppliers, and when that information is shared, direct control is lost. This leads to an increased risk of its confidentiality, integrity or availability being compromised.

4. BYOx Trends in the Workplace The bring-your-own (BYO) trend is here to stay whether organizations like it or not, and few organizations have developed good policy guidelines to cope. As the trend of employees bringing mobile devices, applications and cloud-based storage and access in the workplace continues to grow, businesses of all sizes are seeing information security risks being exploited at a greater rate than ever before.

cont These risks stem from both internal and external threats including mismanagement of the device itself, external manipulation of software vulnerabilities and the deployment of poorly tested, unreliable business applications. If you determine the BYO risks are too high for your organization today, you should at least make sure to stay abreast of developments. If you decide the risks are acceptable, make sure you establish a well-structured BYOx program.

5. Engagement With Your People And that brings us full circle to every organization's greatest asset and most vulnerable target: people. Over the past few decades, organizations have spent millions, if not billions, of dollars on information security awareness activities. The rationale behind this approach was to take their biggest asset — people — and change their behavior, thus reducing risk by providing them with knowledge of their responsibilities and what they need to do.

cont But this has been — and will continue to be — a losing proposition. Instead, organizations need to make positive security behaviors part of the business process, transforming employees from risks into the first line of defense in the organization's security posture. As we move into 2015, organizations need to shift from promoting awareness of the problem to creating solutions and embedding information security behaviors that affect risk positively. The risks are real because people remain a ‘wild card’.

Security Incidents What is an Information Security Incident? Where university information is concerned, an information security incident can be defined as any event or set of circumstances threatening its confidentiality, its integrity or its availability.

Examples of information security incidents Examples of information security incidents can include but are not limited to: The disclosure of confidential information to unauthorised individuals Loss or theft of paper records, data or equipment e.g. laptops, smartphones or memory sticks, on which data is stored

cont Inappropriate access controls allowing unauthorised use of information Suspected breach of the University IT and Communications Acceptable Use Policy Attempts to gain unauthorised access to computer systems, e, g hacking Records altered or deleted without authorisation by the data “owner” Virus or other security attack on IT equipment systems or networks

cont “Blagging” offence where information is obtained by deception Breaches of physical security e.g. forcing of doors or windows into secure room or filing cabinet containing confidential information left unlocked in accessible area Leaving IT equipment unattended when logged-in to a user account without locking the screen to stop others accessing information

cont Covert or unauthorised recording of meetings and presentations Insecure disposal of paper documents or IT and communications equipment allowing others to recover and read confidential information

Why Security? Computers and networks are the nerves of the basic services and critical infrastructures in our society – Financial services and commerce – Transportation – Power grids – Etc. • Computers and networks are targets of attacks by our adversaries.

cont In today's high technology environment, organisations are becoming more and more dependent on their information systems. The public is increasingly concerned about the proper use of information, particularly personal data. The threats to information systems from criminals and terrorists are increasing. Many organisations will identify information as an area of their operation that needs to be protected as part of their system of internal control.

cont Competitive advantage … is dependent on superior access to information. Information is the oxygen of the modern age. It seeps through the walls topped by barbed wire, it wafts across the electrified borders. It is vital to be worried about information security because much of the value of a business is concentrated in the value of its information. Information is, as Grant says, the basis of competitive advantage.

cont And in the not-for-profit sector, with increased public awareness of identity theft and the power of information, it is also, the area of an organisation's operations that most needs control. Without information, neither businesses nor the not-for-profit sector could function. Valuing and protecting information are crucial tasks for the modern organisation.

Growing IT Security Importance and New Career Opportunities The increased risk of cyber-attacks is driving a demand for cyber-security professionals. Telecommunications: Network architects are essential to the security infrastructure. Individuals with experience in creating and working with cloud networks—and who understand business processes and network-aware devices—will make the greatest contribution.

cont Programming: Experience working with secure life cycle development, along with an understanding of coding practices and code review, can translate into all aspects of security analysis—from basic event management to forensics and incident response.

cont Cloud Storage: As data moves into public and private clouds, professionals who have an understanding of how the cloud is being used from a variety of aspects—such as service planning, architecture and data flow through each layer in the cloud network—may be equipped to handle security and compliance controls. 

cont Database: As we begin to take advantage of big data to analyze historical trends and correlations in our networks and beyond, we need people with a blend of knowledge about database technology, coupled with analytic, statistical and mathematical skills to sort through data elements and find valuable relationships. 

cont Security Pros Need Soft Skills Cyber-security professionals obviously need a baseline of technology skills, but on its own, tech savvy is not enough. People in security also need to have soft skills and some distinctive personality traits. These include the following:

cont Inquisitive minds: Workers who display detective-like thought processes that enable them to analyze how to do and use things differently than intended are often the best analysts, researchers and operational specialists.

cont Knowledge of psychology, sociology and organizational behavior: With so many vulnerabilities created by human error, it is critical to be well-trained in business processes; be able to think the way users think; and be able to predict how users might deviate from best practices—inadvertently or not.

cont Open-minded nature: The threat landscape changes rapidly. We may need to tear down infrastructure tomorrow that we built today. Cyber-professionals must be able to adapt quickly to situational changes.

Twelve (12) Information Security Principles Principle 1: Focus on the Business Connect with business leaders to make sure security is a part of business and risk management processes.

Principle 2 Deliver quality and value: Communicate with stakeholders so that changing security requirement can be met and to promote the value of information security both financial and non-financial.

Principle 3 Comply with relevant legal and regulatory requirement: Avoid civil or criminal penalties by identifying compliance obligations and translating the into information security requirements. The penalties should be made clear.

Principle 4 Accurately report security performance: Use security metrics such as compliance, incidents, control status and cost to demonstrate how security performance is helping the company meet its objectives.

Principle 5 Evaluate current and future threats: Trends and security threats should be defined and monitored so that you can address them proactively – before you have a security problem.

Principle 6 Promote continuous improvement: Reduce costs, improve efficient and promote culture of security by sharing information with your organization. Keep your IT department agile and always striving for improvement.

Principle 7 Adopt a risk-based approach: Address options for assessing risk and document procedures in consistent manner. Decide if your plan includes: accepting risk, avoid risk, transferring risk or mitigating risk.

Principle 8 Protect classified information: Identify and classify information according to its level of confidentiality and protect it accordingly through all stages of the information lifecycle.

Principle 9 Concentrate on critical business applications: Prioritize security resources to protect business applications where security incidents would have greatest impact on the business.

Principle 10 Develop system securely: Build quality, cost-effective systems that business can rely on. Make information security an integral part of the design.

Principle 11 Act in a professional and ethical manner: Security rely on the ability of your team to perform duties in a responsible way while understanding the integrity of the information they are protecting. Support respect the needs of the business.

Principle 12 Foster a security-positive culture: Make information security part of “business-as-usual”. Educate users on how to protect critical information and systems. Make users aware of the threats and risks they face.