Information Security 1. Introduction The 2. Objectives 3. Outcomes
4. Chapter 1 Introduction 1.1 Information Security Basics a. Definition of Information Security ‘Information Security’ is providing protection to private data against unauthorized data leakage. It also consists of all measures taken to protect electronic data. b. Evolution of Information Security arly IS efforts identified confidentiality, integrity and availability as primary security factors. The security term “CIA Triad” was derived from these three words. The CIA Triad eventually evolved into the Parkerian Hexad. Facets of the Hexad include confidentiality/control, information integrity, authenticity, availability and utility. The Hexad leans heavily upon authentication and cryptography in order to guard against threats. During the early years of computing, the mainframes used by the military were connected through dedicated phone lines to form ARPANET, the precursor to the modern internet. While this allowed easy synchronization of information between data centers, it also provided unsecure points between the data centers and the public. This vulnerability was addressed by securing physical locations and hardware. A task force formed by ARPA (Advanced Research Projects Agency) to study internet security in 1967 found this method to be inadequate, and the Rand Report R-609 determined additional steps must be taken to improve security. This report marked an important stage in the development of today's information security. Some early security efforts focused on the mainframe operating system. MULTICS (Multiplexed Information and Computing Service) was an effort by MIT, Bell Labs and General Electric to build security into mainframe operating systems using multiple security levels and passwords. It became obsolete when the era of personal computers arrived. Today's online consumers routinely deal with spyware, adware and malware, which present threats ranging from simple annoyance to password theft. Taking steps to increase personal data
security, limiting data exposure and sharing information about online threats is one way personal information security has evolved. The increased use of anti-viral software is another. Government agencies and businesses routinely invest millions of dollars to study threats while constantly testing and improving information security. 1.2. Building Blocks of Information Security a. Basic Principles of Information Security Information security is concerned with the confidentiality, integrity, and availability of information. From these three 'pillars', the following principles must be applied when implementing and maintaining an information system: • • • • • • Accountability Trust Data management Isolation Change Compliance These security principles must be applied and managed throughout the entire systems development lifecycle. b. The Three Pillars of Information Security CIA Triad Confidentiality Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems. Breaches of confidentiality take many forms. Permitting someone to look over your shoulder at your computer screen while you have confidential data displayed on it could be a breach of confidentiality. If a laptop computer containing sensitive information about a company's employees is stolen or sold, it could result in a breach of confidentiality. Giving out confidential information over the telephone is a breach of confidentiality if the caller is not authorized to have the information. Integrity In information security, integrity means that data cannot be modified without authorization. This is not the same thing as referential integrity in databases. Integrity is violated when an employee accidentally or with malicious intent deletes important data files, when a computer virus infects a computer, when an employee is able to modify his own salary in a payroll database, when an unauthorized user vandalizes a web site, when someone is able to cast a very large number of votes in an online poll, and so on.
Availability For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial -of- service attacks. Later Parker  proposed “the Parkerian hexad” which adds three additional attributes to the three classic security attributes of the CIA triad. It is a set of six elements of information security model. These attributes of information are not broken down into further constituents, also all of them are non-overlapping c. Critical Concepts of Information Security 1. Know Thy System Perhaps the most important thing when trying to defend a system is knowing that system. It doesn’t matter if it’s a castle or a Linux server — if you don’t know the ins and outs of what you’re actually defending, you have little chance of being successful. An good example of this in the information security world is knowledge of exactly what software is running on your systems. What daemons are you running? What sort of exposure do they create? A good self-test for someone in a small to medium-sized environment would be to randomly select an IP from a list of your systems and see if you know the exact list of ports that are open on the machines. A good admin should be able to say, for example, “It’s a web server, so it’s only running 80, 443, and 22 for remote administration; that’s it.” — and so on and so on for every type of server in the environment. There shouldn’t be any surprises when seeing port scan results. What you don’t want to hear in this sort of test is, “Wow, what’s thatport?” Having to ask that question is a sign that the administrator is not fully aware of everything running on the box in question, and that’s precisely the situation we need to avoid. 2. Least Privilege The next über-important concept is that of least privilege. Least privilege simply says that people and things should only be able to do what they need to do their jobs, and nothing else. The reason I include “things” is that that admins often configure automated tasks that need to be able to do certain things — backups for example. Well, what often happens is the admin will just put the user doing the backup into the domain admins group — even if they could get it to work another way. Why? Because it’s easier.