CHAPTER 1:

Introduction to Information Security

Lesson Objectives:
Upon completion of this material, you should be able to:
Define information security
Recount the history of computer security, and explain how it evolved into information security
Define key terms and critical concepts of information security
Enumerate the phases of the security systems development life cycle
Describe the information security roles of professionals within an organization

INTRODUCTION
James Anderson, executive consultant at Emagined Security, Inc., believes information security in an
enterprise is a “well-informed sense of assurance that the information risks and controls are in balance.” He is
not alone in his perspective. Many information security practitioners recognize that aligning information security
needs with business objectives must be the top priority.

What Is Information Security?

• Information security: is the protection of information assets that use, store, or transmit information from
risk through the application of policy, education, and technology.

THE HISTORY OF INFORMATION SECURITY

The 1960s
• Advanced Research Project Agency (ARPA) began to examine feasibility of redundant networked
communications
• Larry Roberts developed ARPANET from its inception
The 1970s and 80s
• ARPANET grew in popularity as did its potential for misuse
• Fundamental problems with ARPANET security were identified
– No safety procedures for dial-up connections to ARPANET
– Nonexistent user identification and authorization to system
• Late 1970s: microprocessor expanded computing capabilities and security threats
MULTICS
• Early focus of computer security research was a system called Multiplexed Information and Computing
Service (MULTICS)
• First operating system created with security as its primary goal
• Mainframe, time-sharing OS developed in mid-1960s by General Electric (GE), Bell Labs, and
Massachusetts Institute of Technology (MIT)
• Several MULTICS key players created UNIX
• Primary purpose of UNIX was text processing
The 1990s
• Networks of computers became more common; so too did the need to interconnect networks
• Internet became first manifestation of a global network of networks
• Initially based on de facto standards
• In early Internet deployments, security was treated as a low priority

2000 to Present
1-1 IAS 101 – Information Assurance and Security 1
CHAPTER 1:
Introduction to Information Security
• The Internet brings millions of computer networks into communication with each other—many of them
unsecured
• Ability to secure a computer’s data influenced by the security of every computer to which it is connected
• Growing threat of cyber attacks has increased the need for improved security

WHAT IS SECURITY?
• “The quality or state of being secure—to be free from danger”
• A successful organization should have multiple layers of security in place:
– Physical security
• to protect physical items, objects, or areas from unauthorized access and misuse
– Personal security
• to protect the individual or group of individuals who are authorized to access the
organization and its operations
– Operations security
• to protect the details of a particular operation or series of activities
– Communications security
• to protect communications media, technology, and content
– Network security
• to protect networking components, connections, and contents
– Information security
• to protect the confidentiality, integrity and availability of information assets, whether in
storage, processing, or transmission. It is achieved via the application of policy,
education, training and awareness, and technology.
• The protection of information and its critical elements, including systems and hardware that use, store,
and transmit that information
• Necessary tools: policy, awareness, training, education, technology
• C.I.A. triangle
– Was standard based on confidentiality, integrity, and availability
– Now expanded into list of critical characteristics of information

Key Information Security Concepts:

– ACCESS: A subject or object’s ability to use, manipulate, modify, or affect another subject or object.
Authorized users have legal access to a system, whereas hackers have illegal access to a system.
Access controls regulate this ability.
– ASSET: The organizational resource that is being protected. An asset can be logical, such as a Web
site, information, or data; or an asset can be physical, such as a person, computer system, or other
tangible object. Assets, and particularly information assets, are the focus of security efforts; they are
what those efforts are attempting to protect.
– ATTACK: An intentional or unintentional act that can cause damage to or otherwise compromise
information and/or the systems that support it. Attacks can be active or passive, intentional or
unintentional, and direct or indirect.
– CONTROL, SAFEGUARD, OR COUNTERMEASURE: Security mechanisms, policies, or procedures
that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the
security within an organization.

1-2 IAS 101 – Information Assurance and Security 1

CHAPTER 1:
Introduction to Information Security
– EXPLOIT: Threat agents may attempt to exploit a system or other information asset by using it illegally
for their personal gain. Or, an exploit can be a documented process to take advantage of a vulnerability
or exposure, usually in software, that is either inherent in the software or is created by the attacker.
– EXPOSURE: A condition or state of being exposed. In information security, exposure exists when a
vulnerability known to an attacker is present.
– LOSS: A single instance of an information asset suffering damage or unintended or unauthorized
modification or disclosure. When an organization’s information is stolen, it has suffered a loss.
– PROTECTION PROFILE OR SECURITY POSTURE: The entire set of controls and safeguards,
including policy, education, training and awareness, and technology, that the organization implements
(or fails to implement) to protect the asset. The terms are sometimes used interchangeably with the
term security program, although the security program often comprises managerial aspects of security,
including planning, personnel, and subordinate programs.
– RISK: The probability that something unwanted will happen. Organizations must minimize risk to match
their risk appetite—the quantity and nature of risk the organization is willing to accept.
– Subjects and objects: A computer can be both the subject and object of an attack, when, for example, it
is compromised by an attack (object), and is then used to attack other systems (subject).
– THREAT: A category of objects, persons, or other entities that presents a danger to an asset. Threats
are always present and can be purposeful or undirected.
– THREAT AGENT: The specific instance or a component of a threat. For example, all hackers in the
world present a collective threat, while Kevin Mitnick, who was convicted for hacking into phone
systems, is a specific threat agent. Likewise, a lightning strike, hailstorm, or tornado is a threat agent
that is part of the threat of severe storms.
– VULNERABILITY: A weaknesses or fault in a system or protection mechanism that opens it to attack
or damage. Some examples of vulnerabilities are a flaw in a software package, an unprotected system
port, and an unlocked door. Some well-known vulnerabilities have been examined, documented, and
published; others remain latent (or undiscovered).

Critical Characteristics of Information

• The value of information comes from the characteristics it possesses:
– Availability
• Availability enables authorized users—persons or computer systems—to access
information without interference or obstruction and to receive it in the required format.
– Accuracy
• Information has accuracy when it is free from mistakes or errors and it has the value that
the end user expects. If information has been intentionally or unintentionally modified, it
is no longer accurate.
– Authenticity
• Authenticity of information is the quality or state of being genuine or original, rather than
a reproduction or fabrication. Information is authentic when it is in the same state in
which it was created, placed, stored, or transferred.
– Confidentiality
• Information has confidentiality when it is protected from disclosure or exposure to
unauthorized individuals or systems. Confidentiality ensures that only those with the
rights and privileges to access information are able to do so.

1-3 IAS 101 – Information Assurance and Security 1

CHAPTER 1:
Introduction to Information Security
• To protect the confidentiality of information, you can use a number of measures,
including the following:
1. Information classification
2. Secure document storage
3. Application of general security policies
4. Education of information custodians and end users
– Integrity
• Information has integrity when it is whole, complete, and uncorrupted. The integrity of
information is threatened when the information is exposed to corruption, damage,
destruction, or other disruption of its authentic state.
– Utility
• The utility of information is the quality or state of having value for some purpose or end.
Information has value when it can serve a purpose. If information is available, but is not
in a format meaningful to the end user, it is not useful
– Possession
• The possession of information is the quality or state of ownership or control. Information
is said to be in one’s possession if one obtains it, independent of format or other
characteristics.

COMPONENTS OF AN INFORMATION SYSTEM

• Information system (IS) is entire set of components necessary to use information as a resource in the
organization
– SOFTWARE.The software component of the IS comprises applications, operating systems, and
assorted command utilities. Software is perhaps the most difficult IS component to secure.
– HARDWARE. Hardware is the physical technology that houses and executes the software,
stores and transports the data, and provides interfaces for the entry and removal of information
from the system.
– DATA. Data stored, processed, and transmitted by a computer system must be protected. Data
is often the most valuable asset possessed by an organization and it is the main target of
intentional attacks.
– PEOPLE.Though often overlooked in computer security considerations, people have always
been a threat to information security.
– PROCEDURES. Procedures are written instructions for accomplishing a specific task. When an
unauthorized user obtains an organization’s procedures, this poses a threat to the integrity of
the information.
– NETWORKS. The IS component that created much of the need for increased computer and
information security is networking. When information systems are connected to each other to
form local area networks (LANs), and these LANs are connected to other networks such as the
Internet, new security challenges rapidly emerge.

BALANCING INFORMATION SECURITY AND ACCESS

• Impossible to obtain perfect security—it is a process, not an absolute
• Security should be considered balance between protection and availability
• To achieve balance, level of security must allow reasonable access, yet protect against threats

1-4 IAS 101 – Information Assurance and Security 1

CHAPTER 1:
Introduction to Information Security
THE SYSTEM DEVELOPMENT LIFE CYCLE
Methodology and Phases
– The systems development life cycle (SDLC) is a methodology for the design and implementation of an
information system.
– A methodology is a formal approach to solving a problem by means of a structured sequence of
procedures.
Phase of the traditional SDLC
– Investigation
o The first phase, investigation, is the most important. What problem is the system being
developed to solve? The investigation phase begins with an examination of the event or plan
that initiates the process.
– Analysis
o The analysis phase begins with the information gained during the investigation phase. This
phase consists primarily of assessments of the organization, its current systems, and its
capability to support the proposed systems.
– Logical Design
o In the logical design phase, the information gained from the analysis phase is used to begin
creating a systems solution for a business problem.
– Physical Design
o During the physical design phase, specific technologies are selected to support the alternatives
identified and evaluated in the logical design.
– Implementation
o In the implementation phase, any needed software is created. Components are ordered,
received, and tested. Afterward, users are trained and supporting documentation created.
– Maintenance and Change
o The maintenance and change phase is the longest and most expensive phase of the process.
This phase consists of the tasks necessary to support and modify the system for the remainder
of its useful life cycle.

Securing the SDLC

Each of the example SDLC phases [discussed earlier] includes a minimum set of security steps needed to
effectively incorporate security into a system during its development. An organization will either use the general
SDLC described [earlier] or will have developed a tailored SDLC that meets their specific needs. In either case,
NIST recommends that organizations incorporate the associated IT security steps of this general SDLC into
their development process:
Investigation/Analysis Phases
 Security categorization—defines three levels (i.e., low, moderate, or high) of potential impact on
organizations or individuals should there be a breach of security (a loss of confidentiality, integrity, or
availability). Security categorization standards assist organizations in making the appropriate selection
of security controls for their information systems.
 Preliminary risk assessment—results in an initial description of the basic security needs of the system.
A preliminary risk assessment should define the threat environment in which the system will operate.
Logical/Physical Design Phases
 Risk assessment—analysis that identifies the protection requirements for the system through a formal
risk assessment process. This analysis builds on the initial risk assessment performed during the
Initiation phase, but will be more in-depth and specific.
1-5 IAS 101 – Information Assurance and Security 1
CHAPTER 1:
Introduction to Information Security
 Security functional requirements analysis—analysis of requirements that may include the following
components: (1) system security environment (i.e., enterprise information security policy and enterprise
security architecture) and (2) security functional requirements
 Security assurance requirements analysis—analysis of requirements that address the developmental
activities required and assurance evidence needed to produce the desired level of confidence that the
information security will work correctly and effectively. The analysis, based on legal and functional
security requirements, will be used as the basis for determining how much and what kinds of assurance
are required.
 Cost considerations and reporting—determines how much of the development cost can be attributed to
information security over the life cycle of the system. These costs include hardware, software,
personnel, and training.
 Security planning—ensures that agreed upon security controls, planned or in place, are fully
documented. The security plan also provides a complete characterization or description of the
information system as well as attachments or references to key documents supporting the agency’s
information security program (e.g., configuration management plan, contingency plan, incident
response plan, security awareness and training plan, rules of behavior, risk assessment, security test
and evaluation results, system interconnection agreements, security authorizations/ accreditations, and
plan of action and milestones).
 Security control development—ensures that security controls described in the respective security plans
are designed, developed, and implemented. For information systems currently in operation, the security
plans for those systems may call for the development of additional security controls to supplement the
controls already in place or the modification of selected controls that are deemed to be less than
effective.
 Developmental security test and evaluation—ensures that security controls developed for a new
information system are working properly and are effective. Some types of security controls (primarily
those controls of a non-technical nature) cannot be tested and evaluated until the information system is
deployed—these controls are typically management and operational controls.
 Other planning components—ensures that all necessary components of the development process are
considered when incorporating security into the life cycle. These components include selection of the
appropriate contract type, participation by all necessary functional groups within an organization,
participation by the certifier and accreditor, and development and execution of necessary contracting
plans and processes.
Implementation Phase
 Inspection and acceptance—ensures that the organization validates and verifies that the functionality
described in the specification is included in the deliverables.
 System integration—ensures that the system is integrated at the operational site where the information
system is to be deployed for operation. Security control settings and switches are enabled in
accordance with vendor instructions and available security implementation guidance.
 Security certification—ensures that the controls are effectively implemented through established
verification techniques and procedures and gives organization officials confidence that the appropriate
safeguards and countermeasures are in place to protect the organization’s information system.
Security certification also uncovers and describes the known vulnerabilities in the information system.
 Security accreditation—provides the necessary security authorization of an information system to
process, store, or transmit information that is required. This authorization is granted by a senior
organization official and is based on the verified effectiveness of security controls to some agreed upon
level of assurance and an identified residual risk to agency assets or operations.
1-6 IAS 101 – Information Assurance and Security 1
CHAPTER 1:
Introduction to Information Security
Maintenance and Change Phase
 Configuration management and control—ensures adequate consideration of the potential security
impacts due to specific changes to an information system or its surrounding environment. Configuration
management and configuration control procedures are critical to establishing an initial baseline of
hardware, software, and firmware components for the information system and subsequently controlling
and maintaining an accurate inventory of any changes to the system.
 Continuous monitoring—ensures that controls continue to be effective in their application through
periodic testing and evaluation. Security control monitoring (i.e., verifying the continued effectiveness of
those controls over time) and reporting the security status of the information system to appropriate
agency officials is an essential activity of a comprehensive information security program.

THE SECURITY SYSTEMS DEVELOPMENT LIFE CYCLE

– Investigation
o The investigation phase of the SecSDLC begins with a directive from upper management,
dictating the process, outcomes, and goals of the project, as well as its budget and other
constraints. Frequently, this phase begins with an enterprise information security policy (EISP),
which outlines the implementation of a security program within the organization.
– Analysis
o In the analysis phase, the documents from the investigation phase are studied. The
development team conducts a preliminary analysis of existing security policies or programs,
along with that of documented current threats and associated controls. This phase also includes
an analysis of relevant legal issues that could affect the design of the security solution.
– Logical Design
o The logical design phase creates and develops the blueprints for information security, and
examines and implements key policies that influence later decisions. Also at this stage, the
team plans the incident response actions to be taken in the event of partial or catastrophic loss.
The planning answers the following questions:
 Continuity planning: How will business continue in the event of a loss?
 Incident response: What steps are taken when an attack occurs?
 Disaster recovery: What must be done to recover information and vital systems
immediately after a disastrous event?
– Physical Design
o The physical design phase evaluates the information security technology needed to support the
blueprint outlined in the logical design generates alternative solutions, and determines a final
design. The information security blueprint may be revisited to keep it in line with the changes
needed when the physical design is completed.
– Implementation
o The implementation phase in of SecSDLC is also similar to that of the traditional SDLC. The
security solutions are acquired (made or bought), tested, implemented, and tested again.
Personnel issues are evaluated, and specific training and education programs conducted.
Finally, the entire tested package is presented to upper management for final approval.

– Maintenance and Change

o Maintenance and change is the last, though perhaps most important, phase, given the current
ever-changing threat environment. Today’s information security systems need constant
monitoring, testing, modification, updating, and repairing.
1-7 IAS 101 – Information Assurance and Security 1
CHAPTER 1:
Introduction to Information Security
SECURITY PROFESSIONALS AND ORGANIZATION
– Senior Management
o The senior technology officer is typically the chief information officer (CIO), although other titles
such as vice president of information, VP of information technology, and VP of systems may be
used. The CIO is primarily responsible for advising the chief executive officer, president, or
company owner on the strategic planning that affects the management of information in the
organization.
o The chief information security officer (CISO) has primary responsibility for the assessment,
management, and implementation of information security in the organization. The CISO may
also be referred to as the manager for IT security, the security administrator, or a similar title.
– Information Security Project Team
o The information security project team should consist of a number of individuals who are
experienced in one or multiple facets of the required technical and nontechnical areas.
o Members of the security project team fill the following roles:
 Champion: A senior executive who promotes the project and ensures its support, both
financially and administratively, at the highest levels of the organization.
 Team leader: A project manager, who may be a departmental line manager or staff unit
manager, who understands project management, personnel management, and
information security technical requirements.
 Security policy developers: People who understand the organizational culture, existing
policies, and requirements for developing and implementing successful policies.
 Risk assessment specialists: People who understand financial risk assessment
techniques, the value of organizational assets, and the security methods to be used.
 Security professionals: Dedicated, trained, and well-educated specialists in all aspects of
information security from both a technical and nontechnical standpoint.
 Systems administrators: People with the primary responsibility for administering the
systems that house the information used by the organization.
 End users: Those whom the new system will most directly affect. Ideally, a selection of
users from various departments, levels, and degrees of technical knowledge assist the
team in focusing on the application of realistic controls applied in ways that do not
disrupt the essential business activities they seek to safeguard.
– Data Responsibilities
o The three types of data ownership and their respective responsibilities are outlined below:
 Data owners: Those responsible for the security and use of a particular set of
information. They are usually members of senior management and could be CIOs. The
data owners usually determine the level of data classification (discussed later), as well
as the changes to that classification required by organizational change. The data owners
work with subordinate managers to oversee the day-to-day administration of the data.
 Data custodians: Working directly with data owners, data custodians are responsible for
the storage, maintenance, and protection of the information. Depending on the size of
the organization, this may be a dedicated position, such as the CISO, or it may be an
additional responsibility of a systems administrator or other technology manager. The
duties of a data custodian often include overseeing data storage and backups,
implementing the specific procedures and policies laid out in the security policies and
plans, and reporting to the data owner.
1-8 IAS 101 – Information Assurance and Security 1
CHAPTER 1:
Introduction to Information Security
 Data users: End users who work with the information to perform their assigned roles
supporting the mission of the organization. Everyone in the organization is responsible
for the security of data, so data users are included here as individuals with an
information security role.
SUMMARY
 Information security evolved from the early field of computer security.
 Security is protection from danger. There are a number of types of security: physical security, personal
security, operations security, communications security, national security, and networksecurity, to name a
few.
 Information security is the protection of information assets that use, store, or transmit information from risk
through the application of policy, education, and technology.
 The critical characteristics of information, among them confidentiality, integrity, and availability (the C.I.A.
triangle), must be protected at all times; this protection is implemented by multiple measures (policies,
education training and awareness, and technology).
 Information systems are made up of six major components: hardware, software, data, people, procedures,
and networks.
 Upper management drives the top-down approach to security implementation, in contrast with the bottom-up
approach or grassroots effort, whereby individuals choose security implementation strategies.
 The traditional systems development life cycle (SDLC) is an approach to implementing a system in an
organization and has been adapted to provide the outline of a security systems development life cycle
(SecSDLC).
 The control and use of data in the organization is accomplished by
o Data owners—responsible for the security and use of a particular set of information
o Data custodians—responsible for the storage, maintenance, and protection of the information
o Data users—work with the information to perform their daily jobs supporting the mission of the
organization

Activity 1. Case Exercises

The next day at SLS found everyone in technical support busy restoring computer systems to their former state
and installing new virus and worm control software. Amy found herself learning how to install desktop computer
operating systems and applications as SLS made a heroic effort to recover from the attack of the previous day.
Questions:
1. Do you think this event was caused by an insider or outsider? Why do you think this?
2. Other than installing virus and worm control software, what can SLS do to prepare for the next incident?
3. Do you think this attack was the result of a virus or a worm? Why d
4. o you think this?

Activity 2. Research
Using the Web, find out more about Kevin Mitnick. What did he do? Who caught him? Write a short summary
of his activities and explain why he is infamous.
NAME: ______________________________________ COURSE & YEAR: ___________________

1-9 IAS 101 – Information Assurance and Security 1

CHAPTER 1:
Introduction to Information Security
ACTIVITY ANSWER SHEET

ACTIVITY 1. Case Exercises

1. Do you think this event was caused by an insider or outsider? Why do you think this?

2. Other than installing virus and worm control software, what can SLS do to prepare for the next incident?

3. Do you think this attack was the result of a virus or a worm? Why do you think this?

Activity 2. Research

1-10 IAS 101 – Information Assurance and Security 1