1. ch1 introduction
TRANSCRIPT
-
8/3/2019 1. Ch1 Introduction
1/46
First semester 2009
INFORMATION SYSTEM SECURITY
Chapter 1: Introduction
Dr. Malek Kakish
Faculty of Computer Sciences and Informatics,Amman Arab University
Amman - Jordan
1
-
8/3/2019 1. Ch1 Introduction
2/46
ANNOUNCEMENTS
Textbook
Whitman, Michael E. & Mattord, Herbert J.Principles of Information Security (second
edition), Thompson Course Technology, Boston,MA, 2005.
Lecture slides
modified, and extra material added when needed by Dr.Malek kakish
2
http://www.coursedirect.com/catalog/index.cfm?action=product&isbn=0619063181&category=Security&subcategory=Security&cfid=5670877&cftoken=64116003http://www.coursedirect.com/catalog/index.cfm?action=product&isbn=0619063181&category=Security&subcategory=Security&cfid=5670877&cftoken=64116003 -
8/3/2019 1. Ch1 Introduction
3/46
EXAMS AND GRADING POLICY
First Exam : 20%
Second Exam : 20%
Final Exam : 50%
Homework & Activity : 10%
3
Homework
By individual student.
-
8/3/2019 1. Ch1 Introduction
4/46
PROJECT & HW RULES Projects & Homework:
copied.
1% similar. written together
Will Result In Course Failure.
Everyone must write up their own work.
4
-
8/3/2019 1. Ch1 Introduction
5/46
CLASS RULES
Any student who get 4 absences willdefinitely fail in this course.
Switch OFF your mobiles.
5
-
8/3/2019 1. Ch1 Introduction
6/46
HOMEWORK SUBMISSION FORMAT:No paper Home works will be accepted!! Send all your homeworks to: [email protected]
In the Subject box type:
Your_First_name Your_Last_name; Security ; HW xx : Example:
Malek Kakish; Security ; HW 3:
You will get an acknowledgment msg.
6
mailto:[email protected]:[email protected] -
8/3/2019 1. Ch1 Introduction
7/46
LEARNING OBJECTIVES:
Upon completion of this chapter you should be ableto:
Understand the definition of information security.
Comprehend the history of computer security and how itevolved information security.
Understand the key terms and critical concepts ofinformation security as presented in the chapter.
Outline the phases of the security systems developmentlife cycle.
Understand the role professionals involved in informationsecurity in an organizational structure.
7
-
8/3/2019 1. Ch1 Introduction
8/46
CHAPTER 1 INTRODUCTION
Do not figure on opponents notattacking;
Worry about your own lack ofpreparation.
BOOK OF THE FIVE RINGS
8
-
8/3/2019 1. Ch1 Introduction
9/46
INTRODUCTION
LAN security, WAN security, Internet security, Informationsecurity, IP-security, data security, database security,computer security, network security, security protocols,security for mobile communication, security for mobiledevices, security for e-business, e-payment security, WAP
security, security for wireless communication, applicationlevel security, Transport level security, Data link security,operating system security, multimedia security, SmartCard Security, credit card security, Mainframe security,router security, gateway security, security of handheld
PCs ..etc.
Definition Security: Is the sum of all measures taken toprevent lost of information
9
-
8/3/2019 1. Ch1 Introduction
10/46
INTRODUCTION
Information security means protectinginformation and information systems fromunauthorized access, use, disclosure (),disruption, modification, perusal (),inspection, recording ordestruction.[
Computer security is a branch of computer
technology known as Information Security asapplied to computers and networks
10
-
8/3/2019 1. Ch1 Introduction
11/46
THE HISTORY OF INFORMATION SECURITY
Julius Caesar is credited with the invention of theCaesar cipher ca. 50 B.C., which was created inorder to prevent his secret messages from being
read should a message fall into the wrong hands
During the World War II, access to sensitivemilitary data was controlled through badges,
keys, and facial recognition.
11
http://en.wikipedia.org/wiki/Julius_Caesarhttp://en.wikipedia.org/wiki/Caesar_cipherhttp://en.wikipedia.org/wiki/Caesar_cipherhttp://en.wikipedia.org/wiki/Julius_Caesarhttp://en.wikipedia.org/wiki/Julius_Caesar -
8/3/2019 1. Ch1 Introduction
12/46
THE HISTORY OF INFORMATION SECURITY
The procedures of computer security wasexpanded to embrace more complex andmore technologically sophisticated safeguards.
Enigma Mainframes,
12
-
8/3/2019 1. Ch1 Introduction
13/46
THE HISTORY OF INFORMATION SECURITY
Enable computer-centers tocommunicate instead of mailingmagnetic tapes.
mid 1960s MULTICS - OS with multi-level security)
In 1968s APRA project start
Mid-1969 UNIX Early 1970 password function in UNIX
impl.
Late 1970s the microprocessor brought 13
-
8/3/2019 1. Ch1 Introduction
14/46
THE HISTORY OF INFORMATION SECURITY
The personal computer build with thismicroprocessor technology.
Decentralization of data and processing
power. 1973, Robert M and Bob Metcalfe
(Ethernet developer) identified
fundamental problems with ARPANETsecurity
The need for sharing increased during
the 1980s. 14
-
8/3/2019 1. Ch1 Introduction
15/46
WHAT IS SECURITY?
In General: the quality or state of beingsecure- to be free from danger.
Building protection against adversaries.
A successful organization should havethe following multiple layers of securityto protect its operations:
1- Physical security (physical items,objects,..)
2- Personal security (individual or group)
3- Operations security (operation or series 15
-
8/3/2019 1. Ch1 Introduction
16/46
WHAT IS SECURITY?
4- Communication security (org.communication)
5- Network security (networks components,
..) 6- Information security (IS)
(IS) as defined by the standards
published by the Committee on NationalSecurity Systems (CNSS), is theprotection of information including thesystems and hardware that use, store ,
and transmit that information 16
-
8/3/2019 1. Ch1 Introduction
17/46
WHAT IS SECURITY?
17
-
8/3/2019 1. Ch1 Introduction
18/46
CRITICAL CHARACTERISTIS OF INFORMATION
The value of information comes from thecharacteristics () it possess ) ).
Some of the critical characteristics are:
1- Availability2- Accuracy
3- Authenticity
4- Confidentiality
5- Integrity6- Possession
18
-
8/3/2019 1. Ch1 Introduction
19/46
CRITICAL CHARACTERISTIS OF INFORMATION 1- Availability () enable authorized users persons or
computer systems
to access information withoutinterference or obstruction (), and to receive it in therequired form
2- Accuracy () :information has accuracy when it is
free from mistakes or errors and it has the value that theend user expects.
3- Authenticity () : authenticity of information is thequality or state of being genuine or original, rather than a
reproduction () or fabrication .()
authenticity: Information is authentic when it is theinformation that was originally created, placed, stored, or
transferred19
-
8/3/2019 1. Ch1 Introduction
20/46
CRITICAL CHARACTERISTIS OF INFORMATION
4- Confidentiality () : when disclosure()or exposure () to unauthorized individuals orsystem is prevented
ensures that only those with rights and privileges to
access information are able to do so.
5- Integrity (): Information has integrity when it Iswhole, and uncorrupted.
6- Possession (): the possession of information isthe quality or state of having ownership or control ofsome object or item.
20
-
8/3/2019 1. Ch1 Introduction
21/46
WHAT IS AN INFORMATION SYSTEM?
Information System (IS) is an entire set ofsoftware, hardware, data, people, procedures(instructions to complete a specific task. those instructionsmust disseminated among members of the organization only on
a need-to-know basis), and networks necessary touse information as a resource in theorganization.
So we have to secure all of the IScomponents.
21
-
8/3/2019 1. Ch1 Introduction
22/46
WHAT IS AN INFORMATION SYSTEM?
22
-
8/3/2019 1. Ch1 Introduction
23/46
SECURING COMPONENTS
23
The security of information and its systems entails securingall components and protecting them from potential misuse.) by unauthorized users) ) and abuse)
When a computer is the subject of an attack, it is used as anactive tool to conduct the attack.
When a computer is the object of an attack, it is the entitybeing attacked.
-
8/3/2019 1. Ch1 Introduction
24/46
SECURING COMPONENTS
24
-
8/3/2019 1. Ch1 Introduction
25/46
BALANCING SECURITY AND ACCESS
25
Chief information security officerresponsible for the assessment,)management, and implementation)of security in the organization
The following Fig shows some of the competing ()voices that must be reconciled () in the information
security versus access balancing act.
-
8/3/2019 1. Ch1 Introduction
26/46
APPROACHES TO SECURITY IMPLEMENTATION
26
The implementation of information security in anorganization must begin somewhere.
Securing information assets () is in fact anincremental process that requires coordination, time, andpatience.
Information security can begin as a grassroots ()effort in which systems administrators attempt to improvethe security of their systems. This is often referred to as abottom-up-approach.
-
8/3/2019 1. Ch1 Introduction
27/46
APPROACHES TO SECURITY IMPLEMENTATION
27
The approach () that has a higher probability ofsuccess is called the Top-down approach.
In this approach the project is initiated by the upperlevel managers who issue policy, procedures, andprocesses, dictate the goals and expectedoutcomes of the project, and determine who is
accountable for each of the required actions.
-
8/3/2019 1. Ch1 Introduction
28/46
APPROACHES TO SECURITY
IMPLEMENTATION
28
Chief Information Officerresponsiblefor the strategic planning
Chief Operating Officer
Chief Information Officer
Chief Executive Officer
Chief Financial Officer
chief information security
officer
Vice President
-
8/3/2019 1. Ch1 Introduction
29/46
TOP-DOWN APPROACH
Initiated by upper management: issue policy, procedures, and processes
dictate the goals and expected outcomes of the project
determine who is accountable for each of the required actions
This approach has strong upper management support, a dedicatedchampion, dedicated funding, clear planning, and the chance toinfluence organizational culture
May also involve a formal development strategy referred to as asystems development life cycle. Most successful top-down approach
29
-
8/3/2019 1. Ch1 Introduction
30/46
THE SYSTEMS DEVELOPMENT LIFE CYCLE
SDLC is a methodology () for the design andimplementation of an information systems.
Information security must be managed in a manner similarto any other major system implemented in the organization;so the same phases used in the traditional SDLC adapted to
support the specialized implementation of a security project(SecSDLC).
Using a methodology ensures a rigorous () process avoids missing steps
The goal is creating a comprehensive securityposture/program
30
-
8/3/2019 1. Ch1 Introduction
31/46
THE SYSTEMS DEVELOPMENT LIFE CYCLE
The different variations of the SDLC range from havingthree to twelve phases, all of which have been mapped intothe six presented here.
The waterfall model pictured in fig 1-9 illustrates that eachphase begins with the results and information gained fromthe previous phase.
31
-
8/3/2019 1. Ch1 Introduction
32/46
THE SYSTEM DEVELOPMENT LIFE CYCLE
32
-
8/3/2019 1. Ch1 Introduction
33/46
INVESTIGATION ()
What is the problem the system is beingdeveloped to solve?The objectives ), constraints) ( ,(
and scope ( , ) of the project arespecified
A preliminary cost/benefit analysis is developed
A feasibility () analysis (this analysis isto ensure
that the implementation is worth the organizations time and effort
33
-
8/3/2019 1. Ch1 Introduction
34/46
ANALYSIS ()
Analysts begin to determine What the new system is expected to do
How the new system will interact() with existing systems
Ends with the documentation of the findings ()and a feasibility analysis update (updating the feasibility analysisfrom the previous phase).
34
-
8/3/2019 1. Ch1 Introduction
35/46
LOGICAL DESIGN ( )
Our goal is to begin creating a systems solution(note: the logical design is implementation independent, which meanswithoutnaming any specific technology or vender to solve the business problem) fora business problem.
Logical design must generate a number ofalternative solutions with corresponding strengthsand weaknesses.
At the end, another feasibility analysis is performed.
35
-
8/3/2019 1. Ch1 Introduction
36/46
PHYSICAL DESIGN ( )
Specific technologies are selected to support thealternatives identified and evaluated in the logicaldesign
Selected components are evaluated based on amake-or-buy decision
Entire solution is presented to the organizationalmanagement for approval
36
-
8/3/2019 1. Ch1 Introduction
37/46
IMPLEMENTATION ( (
Any needed software is created
Components are ordered, received, and tested.
Users are trained and supporting documentation
created. Once all components are tested individually, they
are installed and tested as a system.
Again a feasibility analysis is prepared
37
-
8/3/2019 1. Ch1 Introduction
38/46
MAINTENANCE AND CHANGE ()
Is the longest and most expensive phase of the process
It consists the tasks () necessary to support and modify thesystem
At periodic points, the system is tested for compliance () andthe feasibility of continuance versus discontinuance is evaluated.
Upgrades (), updates () and patches () aremanaged
It is imperative () that those who manage the system as wellas those who support them continually monitor the effectiveness.) of the system in relation to the organization environment)
38
-
8/3/2019 1. Ch1 Introduction
39/46
SECURITY PROJECT TEAM
A number of individuals who are experienced in one ormultiple requirements of both the technical and non-technical areas:
The champion
The team leader Security policy developers (they must understand the
organizational culture and existing policies)
Risk assessment () specialists (they mustunderstand the financial risk assessment techniques, thevalue of the organization assets, and the securitymethods to be used).
Security professionals (professionals in all aspects ofsecurity)
Systems administrators 39
-
8/3/2019 1. Ch1 Introduction
40/46
SECURITY PROJECT TEAM
The champion - a senior executive ( ), who promotesthe project and ensures its support, both financially andadministratively, at the highest level of the organization.
Team leader- a project manager, who may be departmental linemanager or staff unit manager, who understands project
management, personal management, and information securitytechnical requirement.
Security policy ( ) developer- individual whounderstand the organizational culture, existing policies, andrequirements for developing and implementing successful policies.
Risk assessment )
) specialist : individuals whounderstand financial risk assessment techniques, the value oforganizational assets, and the security methods to be used.
40
-
8/3/2019 1. Ch1 Introduction
41/46
SECURITY PROJECT TEAM
The security professionals : dedicated, trained and well educatedspecialists in all aspects of information security from both a technicaland nontechnical standpoint.
System administrator : individuals with the primary responsibility for
administering the system that house information used by theorganization.
41
-
8/3/2019 1. Ch1 Introduction
42/46
INFORMATION SECURITY TERMINOLOGY
Asset (
): is the organizational resourcethat is being protected.
Company website
Data or information
Computer Person
Attack(): is an intentional() orunintentional attempt () to cause damage to
information or to the systems that support theinformation.
Lightning strike ()
Hacker attempt to break into an information system.
42
-
8/3/2019 1. Ch1 Introduction
43/46
INFORMATION SECURITY TERMINOLOGY
Exploit () : there are two common use of thisterm in security. First, hacker may attempts to exploit a system or
information by using it illegally for their personal gains. Second, an exploit can be a targeted solution to misuse a
specific hole or vulnerability, usually in software, that ahacker creates to formulate an attack.
Hacking (): gain access to a computerillegally.
Vulnerability ( ) : weaknesses or faults ina system.
A computer system without an antivirus software. Unprotected system port.
43
-
8/3/2019 1. Ch1 Introduction
44/46
INFORMATION SECURITY TERMINOLOGY
Risk () : is the probability thatsomething can happen. Probability of software malfunctioning. We can measure it in quantitative terms ( a 50% chance
of attack) or in qualitative terms( a low probability ofmalfunction).
Threats () : is a category of objects,persons, or other entities that pose a potentialdanger to an asset.
Severe storms are ( )a threat to buildingsand their contents.
Hackers represent a potential danger or threat to anunprotected information system.
44
-
8/3/2019 1. Ch1 Introduction
45/46
INFORMATION SECURITY TERMINOLOGY
Malware, short for malicious ( ) software, consists ofprogramming (code, scripts, active content, and other software)designed to disrupt or deny operation, gather information thatleads to loss of privacy or exploitation (), gainunauthorized access to system resources, and other abusive.) behavior)
Adware, or advertising-supported software , is any softwarepackage which automatically plays, displays, or downloadsadvertisements to a computer..These advertisements can be inthe form of a pop-up. They may also be in the user interface ofthe software or on a screen presented to the user during theinstallation process. The object of the Adware is to generaterevenue for its author. Adware, by itself, is harmless; however,some adware may come with integrated spyware
45
-
8/3/2019 1. Ch1 Introduction
46/46
END OF CHAPTER 1