Lecture-1B

Содержание

Слайд 2

Learning Objectives

Upon completion of this material, you should be able to:
Define information

Learning Objectives Upon completion of this material, you should be able to:
security
Recount the history of computer security and how it evolved into information security
Define key terms and critical concepts of information security
List the phases of the security systems development life cycle
Describe the information security roles of professionals within an organization

Слайд 3

Introduction

Information security: a “well-informed sense of assurance that the information risks and

Introduction Information security: a “well-informed sense of assurance that the information risks
controls are in balance.”—Jim Anderson, Emagined Security, Inc. ‏
Security professionals must review the origins of this field to understand its impact on our understanding of information security today.

Слайд 4

The History of Information Security

Computer security began immediately after the first mainframes

The History of Information Security Computer security began immediately after the first
were developed.
Groups developed the code-breaking computations during World War II created the first modern computers.
Multiple levels of security were implemented.
Physical controls limiting access to sensitive military locations to authorized personnel
Rudimentary in defending against physical theft, espionage, and sabotage

Слайд 6

Figure 1-1 – The Enigma

Figure 1-1 – The Enigma

Слайд 7

The 1960s

Advanced Research Project Agency (ARPA) began to examine the feasibility of

The 1960s Advanced Research Project Agency (ARPA) began to examine the feasibility
redundant networked communications.
Larry Roberts developed the ARPANET from its inception.

Слайд 8

Figure 1-2 - ARPANET

Figure 1-2 - ARPANET

Слайд 9

The 1970s and 80s

ARPANET grew in popularity, as did its potential for

The 1970s and 80s ARPANET grew in popularity, as did its potential
misuse.
Fundamental problems with ARPANET security were identified.
No safety procedures for dial-up connections to ARPANET
Nonexistent user identification and authorization to system

Слайд 10

The 1970s and 80s (cont’d)‏

Information security began with Rand Report R-609 (paper

The 1970s and 80s (cont’d)‏ Information security began with Rand Report R-609
that started the study of computer security and identified the role of management and policy issues in it)‏.
The scope of computer security grew from physical security to include:
Securing the data
Limiting random and unauthorized access to data
Involving personnel from multiple levels of the organization in information security

Слайд 12

MULTICS

Early focus of computer security research centered on a system called Multiplexed

MULTICS Early focus of computer security research centered on a system called
Information and Computing Service (MULTICS)‏.
First operating system was created with security integrated into core functions.
Mainframe, time-sharing OS was developed in the mid-1960s by General Electric (GE), Bell Labs, and Massachusetts Institute of Technology (MIT)‏.
Several MULTICS key players created UNIX.
Primary purpose of UNIX was text processing.
Late 1970s: The microprocessor expanded computing capabilities and security threats.

Слайд 13

The 1990s

Networks of computers became more common, as did the need to

The 1990s Networks of computers became more common, as did the need
connect them to each other.
Internet became the first global network of networks.
Initially, network connections were based on de facto standards.
In early Internet deployments, security was treated as a low priority.
In 1993, DEFCON conference was established for those interested in information security.

Слайд 14

2000 to Present

The Internet brings millions of unsecured computer networks into continuous

2000 to Present The Internet brings millions of unsecured computer networks into
communication with each other.
The ability to secure a computer’s data was influenced by the security of every computer to which it is connected.
Growing threat of cyber attacks has increased the awareness of need for improved security.
Nation-states engaging in information warfare

Слайд 15

What Is Security?

“A state of being secure and free from danger or

What Is Security? “A state of being secure and free from danger
harm; the actions taken to make someone or something secure.”
A successful organization should have multiple layers of security in place to protect:
Operations
Physical infrastructure
People
Functions
Communications
Information

Слайд 16

What is Security? (cont’d)‏

The protection of information and its critical elements, including

What is Security? (cont’d)‏ The protection of information and its critical elements,
systems and hardware that use, store, and transmit that information
Includes information security management, data security, and network security
C.I.A. triangle
Is a standard based on confidentiality, integrity, and availability, now viewed as inadequate.
Expanded model consists of a list of critical characteristics of information.

Слайд 18

Key Information Security Concepts

A computer can be the subject of an attack

Key Information Security Concepts A computer can be the subject of an
and/or the object of an attack.
When the subject of an attack, the computer is used as an active tool to conduct attack.
When the object of an attack, the computer is the entity being attacked.

Слайд 19

Critical Characteristics of Information

The value of information comes from the characteristics it

Critical Characteristics of Information The value of information comes from the characteristics
possesses:
Availability
Accuracy
Authenticity
Confidentiality
Integrity
Utility
Possession

Слайд 20

Components of an Information System

Information system (IS) is the entire set of

Components of an Information System Information system (IS) is the entire set
people, procedures, and technology that enable business to use information.
Software
Hardware
Data
People
Procedures
Networks

Слайд 21

Balancing Information Security and Access

Impossible to obtain perfect information security—it is a

Balancing Information Security and Access Impossible to obtain perfect information security—it is
process, not a goal.
Security should be considered a balance between protection and availability.
To achieve balance, the level of security must allow reasonable access, yet protect against threats.

Слайд 22

Approaches to Information Security Implementation: Bottom-Up Approach

Grassroots effort: Systems administrators attempt to

Approaches to Information Security Implementation: Bottom-Up Approach Grassroots effort: Systems administrators attempt
improve security of their systems.
Key advantage: technical expertise of individual administrators
Seldom works, as it lacks a number of critical features:
Participant support
Organizational staying power

Слайд 23

Approaches to Information Security Implementation: Top-Down Approach

Initiated by upper management
Issue policy, procedures,

Approaches to Information Security Implementation: Top-Down Approach Initiated by upper management Issue
and processes
Dictate goals and expected outcomes of project
Determine accountability for each required action
The most successful type of top-down approach also involves a formal development strategy referred to as systems development life cycle.

Слайд 25

Security Professionals and the Organization

Wide range of professionals are required to support

Security Professionals and the Organization Wide range of professionals are required to
a diverse information security program.
Senior management is the key component.
Additional administrative support and technical expertise are required to implement details of IS program.

Слайд 26

Senior Management

Chief information officer (CIO)‏
Senior technology officer
Primarily responsible for advising the

Senior Management Chief information officer (CIO)‏ Senior technology officer Primarily responsible for
senior executives on strategic planning
Chief information security officer (CISO)‏
Has primary responsibility for assessment, management, and implementation of IS in the organization
Usually reports directly to the CIO

Слайд 27

Information Security Project Team

A small functional team of people who are

Information Security Project Team A small functional team of people who are
experienced in one or multiple facets of required technical and nontechnical areas:
Champion
Team leader
Security policy developers
Risk assessment specialists
Security professionals
Systems administrators
End users

Слайд 28

Data Responsibilities

Data owners: senior management responsible for the security and use of

Data Responsibilities Data owners: senior management responsible for the security and use
a particular set of information
Data custodian: responsible for information and systems that process, transmit, and store it
Data users: individuals with an information security role

Слайд 29

Communities of Interest

Group of individuals united by similar interests/values within an organization
Information

Communities of Interest Group of individuals united by similar interests/values within an
security management and professionals
Information technology management and professionals
Organizational management and professionals

Слайд 30

Information Security: Is It an Art or a Science?

Implementation of information security

Information Security: Is It an Art or a Science? Implementation of information
is often described as a combination of art and science.
“Security artisan” idea: based on the way individuals perceive system technologists and their abilities

Слайд 31

Security as Art

No hard and fast rules nor many universally accepted complete

Security as Art No hard and fast rules nor many universally accepted
solutions
No manual for implementing security through entire system

Слайд 32

Security as Science

Dealing with technology designed for rigorous performance levels
Specific conditions cause

Security as Science Dealing with technology designed for rigorous performance levels Specific
virtually all actions in computer systems.
Almost every fault, security hole, and systems malfunction is a result of interaction of specific hardware and software.
If developers had sufficient time, they could resolve and eliminate faults.

Слайд 33

Security as a Social Science

Social science examines the behavior of individuals interacting

Security as a Social Science Social science examines the behavior of individuals
with systems.
Security begins and ends with the people that interact with the system, intentionally or otherwise.
Security administrators can greatly reduce the levels of risk caused by end users and create more acceptable and supportable security profiles.

Слайд 34

Summary

Information security is a “well-informed sense of assurance that the information risks

Summary Information security is a “well-informed sense of assurance that the information
and controls are in balance.”
Computer security began immediately after the first mainframes were developed.
Successful organizations have multiple layers of security in place: physical, personal, operations, communications, network, and information.

Слайд 35

Summary (cont’d)‏

Security should be considered a balance between protection and availability.
Information security

Summary (cont’d)‏ Security should be considered a balance between protection and availability.
must be managed similar to any major system implemented in an organization. Implementation of information security is often described as a combination of art and science.
Имя файла: Lecture-1B.pptx
Количество просмотров: 23
Количество скачиваний: 0