1. ch1 introduction

8/3/2019 1. Ch1 Introduction

1/46

First semester 2009

INFORMATION SYSTEM SECURITY

Chapter 1: Introduction

Dr. Malek Kakish

Faculty of Computer Sciences and Informatics,Amman Arab University

Amman - Jordan

1


2/46

ANNOUNCEMENTS

Textbook

Whitman, Michael E. & Mattord, Herbert J.Principles of Information Security (second

edition), Thompson Course Technology, Boston,MA, 2005.

Lecture slides

modified, and extra material added when needed by Dr.Malek kakish

2
http://www.coursedirect.com/catalog/index.cfm?action=product&isbn=0619063181&category=Security&subcategory=Security&cfid=5670877&cftoken=64116003http://www.coursedirect.com/catalog/index.cfm?action=product&isbn=0619063181&category=Security&subcategory=Security&cfid=5670877&cftoken=64116003


3/46

EXAMS AND GRADING POLICY

First Exam : 20%

Second Exam : 20%

Final Exam : 50%

Homework & Activity : 10%

3

Homework

By individual student.


4/46

PROJECT & HW RULES Projects & Homework:

copied.

1% similar. written together

Will Result In Course Failure.

Everyone must write up their own work.

4


5/46

CLASS RULES

Any student who get 4 absences willdefinitely fail in this course.

Switch OFF your mobiles.

5


6/46

HOMEWORK SUBMISSION FORMAT:No paper Home works will be accepted!! Send all your homeworks to: [email protected]

In the Subject box type:

Your_First_name Your_Last_name; Security ; HW xx : Example:

Malek Kakish; Security ; HW 3:

You will get an acknowledgment msg.

6
mailto:[email protected]:[email protected]


7/46

LEARNING OBJECTIVES:

Upon completion of this chapter you should be ableto:

Understand the definition of information security.

Comprehend the history of computer security and how itevolved information security.

Understand the key terms and critical concepts ofinformation security as presented in the chapter.

Outline the phases of the security systems developmentlife cycle.

Understand the role professionals involved in informationsecurity in an organizational structure.

7


8/46

CHAPTER 1 INTRODUCTION

Do not figure on opponents notattacking;

Worry about your own lack ofpreparation.

BOOK OF THE FIVE RINGS

8


9/46

INTRODUCTION

LAN security, WAN security, Internet security, Informationsecurity, IP-security, data security, database security,computer security, network security, security protocols,security for mobile communication, security for mobiledevices, security for e-business, e-payment security, WAP

security, security for wireless communication, applicationlevel security, Transport level security, Data link security,operating system security, multimedia security, SmartCard Security, credit card security, Mainframe security,router security, gateway security, security of handheld

PCs ..etc.

Definition Security: Is the sum of all measures taken toprevent lost of information

9


10/46

INTRODUCTION

Information security means protectinginformation and information systems fromunauthorized access, use, disclosure (),disruption, modification, perusal (),inspection, recording ordestruction.[

Computer security is a branch of computer

technology known as Information Security asapplied to computers and networks

10


11/46

THE HISTORY OF INFORMATION SECURITY

Julius Caesar is credited with the invention of theCaesar cipher ca. 50 B.C., which was created inorder to prevent his secret messages from being

read should a message fall into the wrong hands

During the World War II, access to sensitivemilitary data was controlled through badges,

keys, and facial recognition.

11
http://en.wikipedia.org/wiki/Julius_Caesarhttp://en.wikipedia.org/wiki/Caesar_cipherhttp://en.wikipedia.org/wiki/Caesar_cipherhttp://en.wikipedia.org/wiki/Julius_Caesarhttp://en.wikipedia.org/wiki/Julius_Caesar


12/46


The procedures of computer security wasexpanded to embrace more complex andmore technologically sophisticated safeguards.

Enigma Mainframes,

12


13/46


Enable computer-centers tocommunicate instead of mailingmagnetic tapes.

mid 1960s MULTICS - OS with multi-level security)

In 1968s APRA project start

Mid-1969 UNIX Early 1970 password function in UNIX

impl.

Late 1970s the microprocessor brought 13


14/46


The personal computer build with thismicroprocessor technology.

Decentralization of data and processing

power. 1973, Robert M and Bob Metcalfe

(Ethernet developer) identified

fundamental problems with ARPANETsecurity

The need for sharing increased during

the 1980s. 14


15/46

WHAT IS SECURITY?

In General: the quality or state of beingsecure- to be free from danger.

Building protection against adversaries.

A successful organization should havethe following multiple layers of securityto protect its operations:

1- Physical security (physical items,objects,..)

2- Personal security (individual or group)

3- Operations security (operation or series 15


16/46

WHAT IS SECURITY?

4- Communication security (org.communication)

5- Network security (networks components,

..) 6- Information security (IS)

(IS) as defined by the standards

published by the Committee on NationalSecurity Systems (CNSS), is theprotection of information including thesystems and hardware that use, store ,

and transmit that information 16


17/46

WHAT IS SECURITY?

17


18/46

CRITICAL CHARACTERISTIS OF INFORMATION

The value of information comes from thecharacteristics () it possess ) ).

Some of the critical characteristics are:

1- Availability2- Accuracy

3- Authenticity

4- Confidentiality

5- Integrity6- Possession

18


19/46

CRITICAL CHARACTERISTIS OF INFORMATION 1- Availability () enable authorized users persons or

computer systems

to access information withoutinterference or obstruction (), and to receive it in therequired form

2- Accuracy () :information has accuracy when it is

free from mistakes or errors and it has the value that theend user expects.

3- Authenticity () : authenticity of information is thequality or state of being genuine or original, rather than a

reproduction () or fabrication .()

authenticity: Information is authentic when it is theinformation that was originally created, placed, stored, or

transferred19


20/46

CRITICAL CHARACTERISTIS OF INFORMATION

4- Confidentiality () : when disclosure()or exposure () to unauthorized individuals orsystem is prevented

ensures that only those with rights and privileges to

access information are able to do so.

5- Integrity (): Information has integrity when it Iswhole, and uncorrupted.

6- Possession (): the possession of information isthe quality or state of having ownership or control ofsome object or item.

20


21/46

WHAT IS AN INFORMATION SYSTEM?

Information System (IS) is an entire set ofsoftware, hardware, data, people, procedures(instructions to complete a specific task. those instructionsmust disseminated among members of the organization only on

a need-to-know basis), and networks necessary touse information as a resource in theorganization.

So we have to secure all of the IScomponents.

21


22/46

WHAT IS AN INFORMATION SYSTEM?

22


23/46

SECURING COMPONENTS

23

The security of information and its systems entails securingall components and protecting them from potential misuse.) by unauthorized users) ) and abuse)

When a computer is the subject of an attack, it is used as anactive tool to conduct the attack.

When a computer is the object of an attack, it is the entitybeing attacked.


24/46

SECURING COMPONENTS

24


25/46

BALANCING SECURITY AND ACCESS

25

Chief information security officerresponsible for the assessment,)management, and implementation)of security in the organization

The following Fig shows some of the competing ()voices that must be reconciled () in the information

security versus access balancing act.


26/46

APPROACHES TO SECURITY IMPLEMENTATION

26

The implementation of information security in anorganization must begin somewhere.

Securing information assets () is in fact anincremental process that requires coordination, time, andpatience.

Information security can begin as a grassroots ()effort in which systems administrators attempt to improvethe security of their systems. This is often referred to as abottom-up-approach.


27/46

APPROACHES TO SECURITY IMPLEMENTATION

27

The approach () that has a higher probability ofsuccess is called the Top-down approach.

In this approach the project is initiated by the upperlevel managers who issue policy, procedures, andprocesses, dictate the goals and expectedoutcomes of the project, and determine who is

accountable for each of the required actions.


28/46

APPROACHES TO SECURITY

IMPLEMENTATION

28

Chief Information Officerresponsiblefor the strategic planning

Chief Operating Officer

Chief Information Officer

Chief Executive Officer

Chief Financial Officer

chief information security

officer

Vice President


29/46

TOP-DOWN APPROACH

Initiated by upper management: issue policy, procedures, and processes

dictate the goals and expected outcomes of the project

determine who is accountable for each of the required actions

This approach has strong upper management support, a dedicatedchampion, dedicated funding, clear planning, and the chance toinfluence organizational culture

May also involve a formal development strategy referred to as asystems development life cycle. Most successful top-down approach

29


30/46

THE SYSTEMS DEVELOPMENT LIFE CYCLE

SDLC is a methodology () for the design andimplementation of an information systems.

Information security must be managed in a manner similarto any other major system implemented in the organization;so the same phases used in the traditional SDLC adapted to

support the specialized implementation of a security project(SecSDLC).

Using a methodology ensures a rigorous () process avoids missing steps

The goal is creating a comprehensive securityposture/program

30


31/46

THE SYSTEMS DEVELOPMENT LIFE CYCLE

The different variations of the SDLC range from havingthree to twelve phases, all of which have been mapped intothe six presented here.

The waterfall model pictured in fig 1-9 illustrates that eachphase begins with the results and information gained fromthe previous phase.

31


32/46

THE SYSTEM DEVELOPMENT LIFE CYCLE

32


33/46

INVESTIGATION ()

What is the problem the system is beingdeveloped to solve?The objectives ), constraints) ( ,(

and scope ( , ) of the project arespecified

A preliminary cost/benefit analysis is developed

A feasibility () analysis (this analysis isto ensure

that the implementation is worth the organizations time and effort

33


34/46

ANALYSIS ()

Analysts begin to determine What the new system is expected to do

How the new system will interact() with existing systems

Ends with the documentation of the findings ()and a feasibility analysis update (updating the feasibility analysisfrom the previous phase).

34


35/46

LOGICAL DESIGN ( )

Our goal is to begin creating a systems solution(note: the logical design is implementation independent, which meanswithoutnaming any specific technology or vender to solve the business problem) fora business problem.

Logical design must generate a number ofalternative solutions with corresponding strengthsand weaknesses.

At the end, another feasibility analysis is performed.

35


36/46

PHYSICAL DESIGN ( )

Specific technologies are selected to support thealternatives identified and evaluated in the logicaldesign

Selected components are evaluated based on amake-or-buy decision

Entire solution is presented to the organizationalmanagement for approval

36


37/46

IMPLEMENTATION ( (

Any needed software is created

Components are ordered, received, and tested.

Users are trained and supporting documentation

created. Once all components are tested individually, they

are installed and tested as a system.

Again a feasibility analysis is prepared

37


38/46

MAINTENANCE AND CHANGE ()

Is the longest and most expensive phase of the process

It consists the tasks () necessary to support and modify thesystem

At periodic points, the system is tested for compliance () andthe feasibility of continuance versus discontinuance is evaluated.

Upgrades (), updates () and patches () aremanaged

It is imperative () that those who manage the system as wellas those who support them continually monitor the effectiveness.) of the system in relation to the organization environment)

38


39/46

SECURITY PROJECT TEAM

A number of individuals who are experienced in one ormultiple requirements of both the technical and non-technical areas:

The champion

The team leader Security policy developers (they must understand the

organizational culture and existing policies)

Risk assessment () specialists (they mustunderstand the financial risk assessment techniques, thevalue of the organization assets, and the securitymethods to be used).

Security professionals (professionals in all aspects ofsecurity)

Systems administrators 39


40/46


The champion - a senior executive ( ), who promotesthe project and ensures its support, both financially andadministratively, at the highest level of the organization.

Team leader- a project manager, who may be departmental linemanager or staff unit manager, who understands project

management, personal management, and information securitytechnical requirement.

Security policy ( ) developer- individual whounderstand the organizational culture, existing policies, andrequirements for developing and implementing successful policies.

Risk assessment )

) specialist : individuals whounderstand financial risk assessment techniques, the value oforganizational assets, and the security methods to be used.

40


41/46


The security professionals : dedicated, trained and well educatedspecialists in all aspects of information security from both a technicaland nontechnical standpoint.

System administrator : individuals with the primary responsibility for

administering the system that house information used by theorganization.

41


42/46

INFORMATION SECURITY TERMINOLOGY

Asset (

): is the organizational resourcethat is being protected.

Company website

Data or information

Computer Person

Attack(): is an intentional() orunintentional attempt () to cause damage to

information or to the systems that support theinformation.

Lightning strike ()

Hacker attempt to break into an information system.

42


43/46


Exploit () : there are two common use of thisterm in security. First, hacker may attempts to exploit a system or

information by using it illegally for their personal gains. Second, an exploit can be a targeted solution to misuse a

specific hole or vulnerability, usually in software, that ahacker creates to formulate an attack.

Hacking (): gain access to a computerillegally.

Vulnerability ( ) : weaknesses or faults ina system.

A computer system without an antivirus software. Unprotected system port.

43


44/46


Risk () : is the probability thatsomething can happen. Probability of software malfunctioning. We can measure it in quantitative terms ( a 50% chance

of attack) or in qualitative terms( a low probability ofmalfunction).

Threats () : is a category of objects,persons, or other entities that pose a potentialdanger to an asset.

Severe storms are ( )a threat to buildingsand their contents.

Hackers represent a potential danger or threat to anunprotected information system.

44


45/46


Malware, short for malicious ( ) software, consists ofprogramming (code, scripts, active content, and other software)designed to disrupt or deny operation, gather information thatleads to loss of privacy or exploitation (), gainunauthorized access to system resources, and other abusive.) behavior)

Adware, or advertising-supported software , is any softwarepackage which automatically plays, displays, or downloadsadvertisements to a computer..These advertisements can be inthe form of a pop-up. They may also be in the user interface ofthe software or on a screen presented to the user during theinstallation process. The object of the Adware is to generaterevenue for its author. Adware, by itself, is harmless; however,some adware may come with integrated spyware

45


46/46

END OF CHAPTER 1

1. ch1 introduction

Documents