60304756 whitman-ch01-1

34

Post on 22-Oct-2014

625 views

Category:

Technology


0 download

DESCRIPTION

 

TRANSCRIPT

Page 1: 60304756 whitman-ch01-1
Page 2: 60304756 whitman-ch01-1

Principles of Information Security, 3rd Edition 2

Define information security Relate the history of computer security and how it

evolved into information security Define key terms and critical concepts of information

security as presented in this chapter Discuss the phases of the security systems

development life cycle Present the roles of professionals involved in

information security within an organization

Learning ObjectivesUpon completion of this material, you should be able to:

Page 3: 60304756 whitman-ch01-1

Principles of Information Security, 3rd Edition 13

What is Security?

“The quality or state of being secure—to be free from danger” or Protection against adversary

A successful organization should have multiple layers of security in place: Physical security Personal security Operations security Communications security Network security Information security

Page 4: 60304756 whitman-ch01-1

Principles of Information Security, 3rd Edition 14

What is Security? (continued) The protection of information and its critical elements, including systems

and hardware that use, store, and transmit that information

CNSS/NSTISSC-STD’s

To protect -Necessary tools: policy, awareness, training, education, technology

NSTISSC model evolved from CIA-since Mainframe

C.I.A. triangle was standard based on confidentiality, integrity, and availability

Lack of CIA – growing environment

C.I.A. triangle now expanded into list of critical characteristics of information

Page 5: 60304756 whitman-ch01-1

Principles of Information Security, 3rd Edition 15

Page 6: 60304756 whitman-ch01-1

Principles of Information Security, 3rd Edition 16

Critical Characteristics of Information The value of information comes from the characteristics it

possesses: Changes-value ><

Availability Authorized users-access infr. Without obstruction Eg:research library-check/ specified format

Accuracy Accuracy-free mistakes/expected end user value Eg:bank a/c

Page 7: 60304756 whitman-ch01-1

Authenticity State of being genuine or original Information authentic-without change eg:Spoofing,Phising

Confidentiality Disclosure /exposure to unauthorized user Measures

Classification

Storage

Poloices

Education

Eg: salami theft

Principles of Information Security, 3rd Edition 17

Page 8: 60304756 whitman-ch01-1

Integrity Whole,complete,noncorruptted Viruses-file size File hashing-hash value-algorithm Noise in transmission Prevent – algorithm,error correcting code

Utility-meaningful manner Possession

Principles of Information Security, 3rd Edition 18

Page 9: 60304756 whitman-ch01-1

Principles of Information Security, 3rd Edition 19

Figure 1-4 – NSTISSC Security ModelNSTISSC Security Model

Page 10: 60304756 whitman-ch01-1

Principles of Information Security, 3rd Edition 20

Components of an Information System

Information system (IS) is entire set of software, hardware, data, people, procedures, and networks necessary to use information as a resource in the organization

Page 11: 60304756 whitman-ch01-1

Principles of Information Security, 3rd Edition 21

Securing Components

Computer can be subject of an attack and/or the object of an attack

When the subject of an attack, computer is used as an active tool to conduct attack

When the object of an attack, computer is the entity being attacked

Direct/inderect

Page 12: 60304756 whitman-ch01-1

Principles of Information Security, 3rd Edition 22

Figure 1-5 – Subject and Object of Attack

Page 13: 60304756 whitman-ch01-1

Principles of Information Security, 3rd Edition 23

Balancing Information Security and Access

Impossible to obtain perfect security—it is a process, not an absolute

Security should be considered balance between protection and availability

To achieve balance, level of security must allow reasonable access, yet protect against threats

Page 14: 60304756 whitman-ch01-1

Principles of Information Security, 3rd Edition 24

Figure 1-6 – Balancing Security and Access

Page 15: 60304756 whitman-ch01-1

Principles of Information Security, 3rd Edition 25

Approaches to Information Security Implementation: Bottom-Up Approach

Grassroots effort: systems administrators attempt to improve security of their systems

Key advantage: technical expertise of individual administrators

Seldom works, as it lacks a number of critical features:

Participant support

Organizational staying power

Page 16: 60304756 whitman-ch01-1

Principles of Information Security, 3rd Edition 26

Approaches to Information Security Implementation: Top-Down Approach

Initiated by upper management

Issue policy, procedures, and processes

Dictate goals and expected outcomes of project

Determine accountability for each required action

The most successful also involve formal development strategy referred to as systems development life cycle

Page 17: 60304756 whitman-ch01-1

Principles of Information Security, 3rd Edition 27

Page 18: 60304756 whitman-ch01-1

Securing system development life cycle

SDLC consider-system and information

Check custom/COTS

Organization decide-General SDLC/Tailored SDLC

NIST recommends IT security steps.

Principles of Information Security, 3rd Edition 36

Page 19: 60304756 whitman-ch01-1

Securing system development life cycle……

Investigation/Analysis Phase:

Security Categorization(low,modrate,high) Depends on system assists to select security controls over

information.

Preliminary Risk Assesment Define threat environment where system works

Principles of Information Security, 3rd Edition 37

Page 20: 60304756 whitman-ch01-1

Securing system development life cycle……

Logical/Physical design Phase: Risk Assesment:

Builds on intial RA Security assurance Requirement Analysis

Development activities required Evidence of confidential-inf.security is effective

Security Functional Requirement Analysis System security environment Security functional requirements

Cost: s/w,h/w,people

Principles of Information Security, 3rd Edition 38

Page 21: 60304756 whitman-ch01-1

Securing system development life cycle…… Security Planning:

Agreed upon plans like Contigency plan CM plan Incident response plan…..

Security Control Development: Assure security plan is

Designed Developed implemented

Principles of Information Security, 3rd Edition 39

Page 22: 60304756 whitman-ch01-1

Securing system development life cycle……

Developmental security test and evalution: Test the implemented plan Some cannot till deployment

Other planning Components: Ensures necessary components Contract type Participation of fn. Groups, certifier

Principles of Information Security, 3rd Edition 40

Page 23: 60304756 whitman-ch01-1

Securing system development life cycle…… Implementation Phase:

Inspection and Acceptance: Verifies and Validates-functionality in deliverables

System Integration: Ensures integrity in deployment environment

Security certification: Uncovers vulnerabilities Ensures controls implemented effectively through

Procedures Validation techniques

Security Acceriditation Provides authorization of infr.to store, transmit… Granted by senior official.

Principles of Information Security, 3rd Edition 41

Page 24: 60304756 whitman-ch01-1

Securing system development life cycle…… Maintenance and Change Phase:

CM and Control: Ensures adequate consideration to inf.sec while changes

Continuous Monitoring: Ensures continuous control effectivness

Information Preservation: Current legal requirements Accommodate future technology

Media Sanitization: Unwanted data deleted,erased.

H/w and s/w disposal:

Principles of Information Security, 3rd Edition 42

Page 25: 60304756 whitman-ch01-1

Principles of Information Security, 3rd Edition 51

Senior Management

Chief Information Officer (CIO)

Senior technology officer

Primarily responsible for advising senior executives on strategic planning

Chief Information Security Officer (CISO)/ manager

Primarily responsible for assessment, management, and implementation of IS in the organization

Usually reports directly to the CIO

Page 26: 60304756 whitman-ch01-1

Principles of Information Security, 3rd Edition 52

Information Security Project Team

A number of individuals who are experienced in one or more facets of required technical and nontechnical areas: Champion-support financially,adminstrative Team leader-proj,people.manage,technical requirements Security policy developers Risk assessment specialists Security professionals Systems administrators End users

Page 27: 60304756 whitman-ch01-1

Principles of Information Security, 3rd Edition 53

Data Ownership

Data owner: responsible for the security and use of a particular set of information

Data custodian: responsible for storage, maintenance, and protection of information

Data users: end users who work with information to perform their daily jobs supporting the mission of the organization

Page 28: 60304756 whitman-ch01-1

54

Communities of Interest Group of individuals united by similar interests/values within an

organization or who share common goals to meet organization objective

Information security management and professionals

Protect infr. From attack

Information technology management and professionals

Focus on cost, ease of use.

Organizational management and professionals/users/sec subjects

Execution,production,hr....

Page 29: 60304756 whitman-ch01-1

Principles of Information Security, 3rd Edition 55

Information Security: Is it an Art or a Science?

Implementation of information security often described as combination of art and science

“Security artesan” idea: based on the way individuals perceive systems technologists since computers became commonplace

Page 30: 60304756 whitman-ch01-1

Principles of Information Security, 3rd Edition 56

Security as Art

Eg:painter

No hard and fast rules nor many universally accepted complete solutions

No manual for implementing security through entire system

Page 31: 60304756 whitman-ch01-1

Principles of Information Security, 3rd Edition 57

Security as Science

Dealing with technology designed to operate at high levels of performance

Specific conditions cause virtually all actions that occur in computer systems

Nearly every fault, security hole, and systems malfunction are a result of interaction of specific hardware and software

If developers had sufficient time, they could resolve and eliminate faults

Page 32: 60304756 whitman-ch01-1

Principles of Information Security, 3rd Edition 58

Security as a Social Science

Social science examines the behavior of individuals interacting with systems

Security begins and ends with the people that interact with the system

Security administrators can greatly reduce levels of risk caused by end users, and create more acceptable and supportable security profiles

Page 33: 60304756 whitman-ch01-1

Principles of Information Security, 3rd Edition 60

Summary

Information security is a “well-informed sense of assurance that the information risks and controls are in balance”

Computer security began immediately after first mainframes were developed

Successful organizations have multiple layers of security in place: physical, personal, operations, communications, network, and information

Page 34: 60304756 whitman-ch01-1

Principles of Information Security, 3rd Edition 61

Summary (continued)

Security should be considered a balance between protection and availability

Information security must be managed similarly to any major system implemented in an organization using a methodology like SecSDLC

Implementation of information security often described as a combination of art and science