ITSAC - Module 1 Flashcards
What is Information Security?
A set of security procedures and tools that broadly protect sensitive enterprise information from misuse, unauthorized access, disruption, or destruction. – Microsoft
It refers to the processes and tools designed and deployed to protect sensitive business information from modification, disruption, destruction, and inspection. – Cisco
Information security in today’s enterprise is a “well-informed sense of assurance that the information risks and controls are in balance.” – Jim Anderson, Inovant (2002)
History
Began immediately after the first mainframes were developed.
Created to aid code-breaking computations during World War II.
Physical controls to limit access to sensitive military locations to authorized personnel: badges, keys, and facial recognition.
Rudimentary in defending against physical theft, espionage, and sabotage.
History
Early 1960s
One of the first documented security problems occurred.
A software glitch mixed the two files (Message of the Day and password file)
The entire password file was printed on every output file.
History
Early 1970s
The microprocessor brought in a new age of computing capabilities and security threats as these microprocessors were networked.
Late 1970s: microprocessor expanded computing capabilities and security threats.
From mainframe to PC
Decentralized computing
Need for sharing resources increased
Major changed computing
History
RAND Report R-609
The first widely recognized published document to identify the role of management and policy issues in computer security.
It attempted to define multiple controls and mechanisms necessary for the protection of a multi-level computer system.
History
The 1990s
At the close of the 20th century, as networks of computers became more common, as did the need to connect the networks to each other.
Gave rise to the Internet - first global network of networks
Early Internet deployment treated security as a low priority
History
In the late 1990s and into the 2000s
Many large corporations began publicly integrating security into their organizations.
Antivirus products became extremely popular, and information security began to emerge as an independent discipline.
History
2000 to present
The Internet brings millions of computer networks into communication with each other—many of them unsecured.
Ability to secure a computer’s data influenced by the security of every computer to which it is connected.
What is Security?
A successful organization should have the following multiple layers of security in place for the protection of its operations.
-
Physical security - to protect the
physical items, objects, or areas
of an organization from unauthorized access and misuse. -
Personal security - to protect the
individual or group of individuals
who are authorized to access the organization and its operations. -
Operations security - to protect the
details of a particular operation
or series of activities. -
Communications security - to protect an
organization’s communications media, technology
, and content. -
Network security - to protect
networking components, connections
, and contents.
Critical Characteristics of Information
-
Availability - enables users who need to
access information to do so without interference
or obstruction and in the required format. -
Accuracy -
free from mistake or error
and having the value that the end-user expects. -
Authenticity - the quality or state of being
genuine or original
, rather than a reproduction or fabrication. -
Confidentiality - the quality or state of
preventing disclosure
or exposure to unauthorized individuals or systems. -
Integrity - the quality or state of being
whole, complete, and uncorrupted
. The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state. -
Utility - the quality or state of
having value for some purpose or end
. Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end-user, it is of no use. -
Possession - the quality or state of
having ownership
or control of some object or item. Information is said to be in possession if one obtains it, independent of format or another characteristic. While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality.
Information system (IS)
– is the entire set of software, hardware, data, people, procedures, and networks that enable the use of information resources in the organization.
Components of an Information System
-
Software: Includes applications (programs), operating systems, and assorted command utilities.
Perhaps themost difficult
IS componentto secure
.
Easy target
of accidental or intentional attacks. -
Hardware:
Physical technology
that houses and executes the software, stores and transports the data, and provides interfaces for the entry and removal of information from the system.
Physical security policies deal with hardware as a physical asset and with the protection of physical assets from harm or theft. -
Data: Often the
most asset
Main target
of intentional attacks -
People: People have always been a threat to information security
Social engineering
Must be well trained and informed
-
Procedures: Procedures are
written instructions
for accomplishing a specific task.
Threat to integrity of data -
Networks:
Locks and keys
won’t work
Balancing Information Security and Access
To operate an information system that satisfies the end-user and the security professional, the security level must allow reasonable access yet protect against threats to achieve a balanced scale.
An imbalance can occur when the needs of the end user are undermined by obsessive focus on protecting and administering the information systems.
Computer as the Subject and Object of an Attack
Hacker using a computer as the subject of attack
Remote system that is the object of an attack
Approaches to Information Security Implementation:
Bottom-Up Approach
Bottom-up approach:
A method of establishing security policies and/or practices that begins as a grassroots effort in which systems administrators attempt to improve the security of their systems.
The key advantage is the technical expertise of individual administrators.
Advantages & Disadvantages of
Bottom-Up Approach
Advantages:
- Flexibility: Bottom-up approach allows for changes to be made at any stage of the process.
- Empowerment: It gives individuals and smaller groups the power to make decisions.
- Robustness: This approach can result in more robust solutions, as each component can be thoroughly tested and debugged.
Disadvantages:
- Slow Progress: The bottom-up approach can be slow, as each component must be completed before moving on to the next.
- Lack of Coherence: The final solution may lack coherence, as it is assembled from individual parts.
- Difficulty in Managing Complex Projects: This approach can be difficult to manage for complex projects with many components.
What Companies Use a Bottom-up Approach?
Many companies use the bottom-up approach in their management and decision-making processes, including:
Toyota
Hyundai
Ford
Volkswagen
Samsung
Nokia
Dell
Hewlett-Packard
Cisco Systems
Oracle
Approaches to Information Security Implementation:
Top-down Approach
A methodology of establishing security policies and/or practices that is initiated by upper management.
Higher probability of success.
The project is initiated by upper-level managers.
Advantages & Disadvantages of
Top-Down Approach
Advantages:
- Easy to understand and implement.
- Provides clear objectives and expectations.
- Supports effective allocation of resources.
Disadvantages:
- Inflexible to change.
- Limited to pre-determined solutions.
- Can lead to missed opportunities or inefficiencies.
- Can result in lower motivation and participation from lower-level employees.
What Companies Use the Top-Down Approach?
Many companies use the top-down approach in their management and decision-making processes, including:
IBM
Microsoft
Google
Apple
Amazon
GE
Intel
JPMorgan Chase
Goldman Sachs
Procter & Gamble