Principles Of Information Security, Fourth Edition
Principles of Information Security,Fourth EditionChapter 1Introduction to Information Security
Introduction Information security: a “well-informed sense ofassurance that the information risks and controlsare in balance.” — Jim Anderson, Inovant (2002) Security professionals must review the origins ofthis field to understand its impact on ourunderstanding of information security todayPrinciples of Information Security, Fourth Edition2
The History of Information Security Computer security began immediately after the firstmainframes were developed– Groups developing code-breaking computationsduring World War II created the first moderncomputers– Multiple levels of security were implemented Physical controls to limit access to sensitive militarylocations to authorized personnel Rudimentary in defending against physical theft,espionage, and sabotagePrinciples of Information Security, Fourth Edition3
The 1970s and 80s ARPANET (Advanced Research Project Agency)grew in popularity as did its potential for misuse Fundamental problems with ARPANET securitywere identified– No safety procedures for dial-up connections toARPANET– Nonexistent user identification and authorization tosystem Late 1970s: microprocessor expanded computingcapabilities and security threatsPrinciples of Information Security, Fourth Edition4
The 1970s and 80s (cont’d.) Information security began with Rand Report R-609(paper that started the study of computer security) Scope of computer security grew from physicalsecurity to include:– Safety of data– Limiting unauthorized access to data– Involvement of personnel from multiple levels of anorganizationPrinciples of Information Security, Fourth Edition5
MULTICS Early focus of computer security research was asystem called Multiplexed Information andComputing Service (MULTICS) First operating system created with security as itsprimary goal Mainframe, time-sharing OS developed in mid1960s by General Electric (GE), Bell Labs, andMassachusetts Institute of Technology (MIT) Several MULTICS key players created UNIX Primary purpose of UNIX was text processingPrinciples of Information Security, Fourth Edition6
The 1990s Networks of computers became more common; sotoo did the need to interconnect networks Internet became first manifestation of a globalnetwork of networks Initially based on de facto standards In early Internet deployments, security was treatedas a low priorityPrinciples of Information Security, Fourth Edition7
2000 to Present The Internet brings millions of computer networksinto communication with each other—many of themunsecured Ability to secure a computer’s data influenced bythe security of every computer to which it isconnected Growing threat of cyber attacks has increased theneed for improved securityPrinciples of Information Security, Fourth Edition8
What is Security? “The quality or state of being secure—to be freefrom danger” A successful organization should have multiplelayers of security in place:––––––Physical securityPersonal securityOperations securityCommunications securityNetwork securityInformation securityPrinciples of Information Security, Fourth Edition9
What is Security? (cont’d.) The protection of information and its criticalelements, including systems and hardware thatuse, store, and transmit that information Necessary tools: policy, awareness, training,education, technology C.I.A. triangle– Was standard based on confidentiality, integrity, andavailability– Now expanded into list of critical characteristics ofinformationPrinciples of Information Security, Fourth Edition10
Figure 1-3 Components of Information SecurityPrinciples of Information Security, Fourth Edition11
Key Information Security Concepts AccessAssetAttackControl, Safeguard, orCountermeasure Exploit Exposure LossPrinciples of Information Security, Fourth Edition Protection Profile orSecurity Posture Risk Subjects and Objects Threat Threat Agent Vulnerability12
Figure 1-4 Information security components analogy Cengage Learning 2012Security Guide to Network Security Fundamentals, Fourth Edition13
Figure 1-4 Information Security TermsPrinciples of Information Security, Fourth Edition14
Critical Characteristics of Information The value of information comes from thecharacteristics it nciples of Information Security, Fourth Edition15
CNSS Security ModelFigure 1-6 The McCumber CubePrinciples of Information Security, Fourth Edition16
Components of an Information System Information system (IS) is entire set of componentsnecessary to use information as a resource in ataPeopleProceduresNetworksPrinciples of Information Security, Fourth Edition17
Balancing Information Security andAccess Impossible to obtain perfect security—it is aprocess, not an absolute Security should be considered balance betweenprotection and availability To achieve balance, level of security must allowreasonable access, yet protect against threatsPrinciples of Information Security, Fourth Edition18
Figure 1-6 – Balancing Security andAccessFigure 1-8 Balancing Information Security and AccessPrinciples of Information Security, Fourth Edition19
Approaches to Information SecurityImplementation: Bottom-Up Approach Grassroots effort: systems administrators attemptto improve security of their systems Key advantage: technical expertise of individualadministrators Seldom works, as it lacks a number of criticalfeatures:– Participant support– Organizational staying powerPrinciples of Information Security, Fourth Edition20
Approaches to Information SecurityImplementation: Top-Down Approach Initiated by upper management– Issue policy, procedures, and processes– Dictate goals and expected outcomes of project– Determine accountability for each required action The most successful also involve formaldevelopment strategy referred to as systemsdevelopment life cyclePrinciples of Information Security, Fourth Edition21
Figure 1-9 Approaches to Information Security ImplementationPrinciples of Information Security, Fourth Edition22
Figure 1-10 SDLC Waterfall MethodologyPrinciples of Information Security, Fourth Edition23
The Security Systems DevelopmentLife Cycle The same phases used in traditional SDLC may beadapted to support specialized implementation ofan IS project Identification of specific threats and creatingcontrols to counter them SecSDLC is a coherent program rather than aseries of random, seemingly unconnected actionsPrinciples of Information Security, Fourth Edition24
Investigation Identifies process, outcomes, goals, andconstraints of the project Begins with Enterprise Information Security Policy(EISP) Organizational feasibility analysis is performedPrinciples of Information Security, Fourth Edition25
Analysis Documents from investigation phase are studied Analysis of existing security policies or programs,along with documented current threats andassociated controls Includes analysis of relevant legal issues that couldimpact design of the security solution Risk management task beginsPrinciples of Information Security, Fourth Edition26
Logical Design Creates and develops blueprints for informationsecurity Incident response actions planned:– Continuity planning– Incident response– Disaster recovery Feasibility analysis to determine whether projectshould be continued or outsourcedPrinciples of Information Security, Fourth Edition27
Physical Design Needed security technology is evaluated,alternatives are generated, and final design isselected At end of phase, feasibility study determinesreadiness of organization for projectPrinciples of Information Security, Fourth Edition28
Implementation Security solutions are acquired, tested,implemented, and tested again Personnel issues evaluated; specific training andeducation programs conducted Entire tested package is presented to managementfor final approvalPrinciples of Information Security, Fourth Edition29
Maintenance and Change Perhaps the most important phase, given the everchanging threat environment Often, repairing damage and restoring informationis a constant duel with an unseen adversary Information security profile of an organizationrequires constant adaptation as new threatsemerge and old threats evolvePrinciples of Information Security, Fourth Edition30
Information Security Project Team A number of individuals who are experienced inone or more facets of required technical andnontechnical areas:–––––––ChampionTeam leaderSecurity policy developersRisk assessment specialistsSecurity professionalsSystems administratorsEnd usersPrinciples of Information Security, Fourth Edition31
Data Responsibilities Data owner: responsible for the security and use ofa particular set of information Data custodian: responsible for storage,maintenance, and protection of information Data users: end users who work with information toperform their daily jobs supporting the mission ofthe organizationPrinciples of Information Security, Fourth Edition32
Principles of Information Security, Fourth Edition 4. The 1970s and 80s (cont’d.) Information security began with Rand Report R-609 (paper that started the study of computer security) Scope of computer security grew from physi
Jan 01, 1980 · Fourth Shift Release 7.50 Fourth Shift Basics 7 Fourth Shift Basics Using Fourth Shift The Fourth Shift program contains a wide variety of features allowing you to enter, view, and
Fourth Edition Chapter 11 Basic Cryptography . Objectives Define cryptography Describe hash, symmetric, and asymmetric cryptographic algorithms List the various ways in which cryptography is used Security Guide to Network Security Fundamentals, Fourth Edition 2 . Introduction Multilevel approach to information security
International Principles on the Application of Human Rights to Communications Surveillance (The Necessary and Proportionate Principles), the Johannesburg Principles on National Security, Freedom of Expression and Access to Information, the Global Principles on National Security and the Right to Information (Tshwane Principles), the Revised .
Attending an AO briefing given by the Chief Information Security Officer. 4.1.2 Information Systems Security Managers (ISSM), Information Systems Security Officers (ISSO) Individuals currently serving as an Information Systems Security Manager (ISSM) and Information Systems Security Officer (ISSO) are also identified in GSA's FISMA inventory.
3 CONTENTS Notation 10 Preface 12 About the Author 18 PART ONE: BACKGROUND 19 Chapter 1 Computer and Network Security Concepts 19 1.1 Computer Security Concepts 21 1.2 The OSI Security Architecture 26 1.3 Security Attacks 27 1.4 Security Services 29 1.5 Security Mechanisms 32 1.6 Fundamental Security Design Principles 34 1.7 Attack Surfaces and Attack Trees 37
Within the guidance provided by these security foundations, two sets of concepts are particularly relevant to the design and understanding of the AWS SRA: security epics (also called security areas) and security design principles. Security epics Both the security perspective of the AWS CAF and the security pillar of Well-Architected
Resourcing security risk management 13 2. Developing a framework 14 3. Governance and accountability 17 Creating an effective security risk management structure 17 4. Policy and principles 21 Developing a security policy 22 Establishing security requirements 24 5. Operations and programmes 25 Security risk assessments 28 Security plans 30
2 Annual Book of ASTM Standards, Vol 06.03. 3 Annual Book of ASTM Standards, Vol 14.03. 4 Reagent Chemicals, American Chemical Society Specifications, American Chemical Society, Washington, DC. For suggestions on the testing of reagents not listed by the American Chemical Society, see Analar Standards for Laboratory Chemicals, BDH Ltd., Poole, Dorset, U.K., and the United States Pharmacopeia .
