Information Security

Lecture for week 5

October 19, 2014

Abhinav Dahal

Agenda (Today…)

What is information? Security Risks Characteristics of Information Information Security (IS) Approaches to IS History of IS Components of IS Security Systems Development Life Cycle Good practices in IS Information Security careers

“Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected”

BS ISO 27002:2005

Information can be

Printed or written on paper

Stored electronically

Transmitted by post or using electronics means

Displayed / published on web

Verbal – spoken in conversations

• Security risks start when the power is turned on.• The only way to deal with security risks is via risk

management.• Risks can be identified and reduced, but never

eliminated.• No matter how secure you make a system, it can always

be broken into, given sufficient resources, time, motivation and money.

Security risks

• Since you cannot protect yourself if you do not know what you are protecting against, a risk assessment must be performed.

• A risk assessment answers 3 fundamental questions: Identify assets – what am I trying to protect? Identify threats – what am I protecting against? Calculating risks – how much time, effort and

money am I willing to expend to obtain adequate protection?

• After risks are determined, you can then develop the policies and procedures needed to reduce the risks.

Security risks (Contd…)

• Earthquake, flood, hurricane, lightning.• Utility loss i.e. power, telecommunication.• Theft of hardware, software, data.• Terrorists, both political and information• Software bugs, malicious code, viruses, spam, mail

bombs.• Hackers.

Threats

Why is information vulnerable?

The great skill divide Application security people are from Mars, software

developers are from Venus. Most application security people are not software

people, cannot write code (properly) or vice versa.

Security <Performance < Functionality

Priority

• Unable to understand or quantify security threats and technical vulnerabilities.

• Begin the analysis with a preconceived notion that the cost of controls will be excessive or the security technology doesn’t exist.

• Belief that the security solution will interfere with the performance or appearance of the business product.

Why is information vulnerable? (Contd…)

Characteristics of Information

• Three characteristics of information must be protected by information security:

Confidentially

Integrity

Availability

ISO 27002:2005 defines Information Security as the

preservation of:

Confidentiality

Ensuring that information is accessible only to those authorized to have access

Integrity

Safeguarding the accuracy and completeness of information and processing methods

Availability

Ensuring that authorized users have access to information and associated assets when required

What is Information Security?

The architecture where an integrated combination of appliances, systems and solutions, software, and vulnerability scans are working together.

Information security is all about protecting and preserving information. It’s all about protecting and preserving the confidentiality, integrity, authenticity, availability, and reliability of information.

Monitored 24 x7

Figure 1-4 – NSTISSC Security ModelNSTISSC Security Model

The History of Information Security

• Began immediately after the first mainframes were developed

• Physical controls to limit access to sensitive military locations to authorized personnel

• Rudimentary in defending against physical theft, espionage, and sabotage

The History of Information Security (Contd…)• The 1960s

Advanced Research Projects Agency (ARPA) began to examine feasibility of redundant networked communications

Lawrence Roberts developed ARPANET from its inception

The History of Information Security (Contd…)• The 1970s and 80s

ARPANET grew in popularity as did its potential for misuse

Fundamental problems with ARPANET security were identified• No safety procedures for dial-up connections

to ARPANET• Non-existent user identification and

authorization to systemLate 1970s: microprocessor expanded computing

capabilities and security threats.

The History of Information Security (Contd…)• R - 609

Information security began with Rand Report R-609 (paper that started the study of computer security)

Scope of computer security grew from physical security to include:

• Safety of data

• Limiting unauthorized access to data

• Involvement of personnel from multiple levels of an organization

The History of Information Security (Contd…)• The 1990s

Networks of computers became more common; so too did the need to interconnect networks

Internet became first manifestation of a global network of networks

In early Internet deployments, security was treated as a low priority

The present

• The Internet brings millions of computer networks into communication with each other—many of them unsecured

Securing Components

• Computer can be subject of an attack and/or the object of an attack

– When the subject of an attack, computer is used as an active tool to conduct attack

– When the object of an attack, computer is the entity being attacked

Attack

Balancing Information Security and Access

• Impossible to obtain perfect security—it is a process, not an absolute

• Security should be considered balance between protection and availability

• To achieve balance, level of security must allow reasonable access, yet protect against threats

Approaches to Information Security Implementation: Bottom-Up Approach• Grassroots effort: systems administrators attempt to

improve security of their systems

• Key advantage: technical expertise of individual administrators

• Seldom works, as it lacks a number of critical features:

– Participant support

– Organizational staying power

Approaches to Information Security Implementation: Top-Down Approach

• Initiated by upper management– Issue policy, procedures and processes– Dictate goals and expected outcomes of project– Determine accountability for each required action

• The most successful also involve formal development strategy referred to as systems development life cycle

Security Systems Development Life Cycle (SecSDLC)

Investigation

• Identifies process, outcomes, goals, and constraints of the project

• Begins with enterprise information security policy

• Organizational feasibility analysis is performed

Analysis

• Documents from investigation phase are studied

• Analyzes existing security policies or programs, along with documented current threats and associated controls

• Includes analysis of relevant legal issues that could impact design of the security solution

• The risk management task begins

Logical Design

• Creates and develops blueprints for information security

• Incident response actions planned:– Incident response

– Disaster recovery

• Feasibility analysis to determine whether project should continue or be outsourced

Physical Design

• Needed security technology is evaluated, alternatives generated, and final design selected

• At end of phase, feasibility study determines readiness of organization for project

Implementation

• Security solutions are acquired, tested, implemented, and tested again

• Personnel issues evaluated; specific training and education programs conducted

• Entire tested package is presented to management for final approval

Maintenance and Change

• Perhaps the most important phase, given the ever-changing threat environment

• Often, reparation and restoration of information is a constant duel with an unseen adversary

• Information security profile of an organization requires constant adaptation as new threats emerge and old threats evolve

Good Practices

One of the best ways to protect your information is to make sure that your computer is not vulnerable to attack from the outside. Here are some steps you can take:

Keep your computer patches up to date Install anti-virus and anti-spyware software

and keep it up to dateRemove all services from your computer that

you do not need Don't click on links in suspicious email

Speed of attacks

Sophistication of attacks

Faster detection of weaknesses

Distributed attacks

Difficulties of patching

A number of trends illustrate why security is becoming increasingly difficult:

Understanding the Importance of Information Security

• Information security is important to businesses:

Prevents data theft

Avoids legal consequences of not securing information

Maintains productivity- an estimated loss of $213,000

Foils cyber terrorism

Thwarts identify theft

Information Security Careers

Information security is one of the fastest growing career fields

As information attacks increase, companies are becoming more aware of their vulnerabilities and are looking for ways to reduce their risks and liabilities

Sometimes divided into three general roles:

- Security manager develops corporate security plans and policies, provides education and awareness, and communicates with executive management about security issues

- Security engineer designs, builds, and tests security solutions to meet policies and address business needs

- Security administrator configures and maintains security solutions to ensure proper service levels and availability