This training creates the awareness of the security threats facing individuals, business owner’s, and corporations in today’s society and induces a’ plan-protection’ attitude. It enriches individuals, students’, business owners’ and workers’ approach to handling these threats and responding appropriately when these threats occur.
Governance in SharePoint Premium:What's in the box?
chapter 1. Introduction to Information Security
1. SQUARE NORTH TECHNOLOGIES
Information Security Training
Chapter 1
Introduction to Information Security
Muhammad Lawal
Chief Executive Officer
elmuhammadm@gmail.com
08124350304
2. Learning Objectives
Understand what information security is and how it came to
mean what it does today.
Comprehend the history of computer security and how it
evolved into information security.
Understand the key terms and critical concepts of information
security as presented in the chapter.
Outline the phases of the security systems development life
cycle.
Understand the role professionals involved in information
security in an organizational structure.
Understand the business need for information security.
Understand a successful information security program is the
responsibility of an organization‘s general management and I
T management.
Understand the some threats posed to information security
and the more common attacks associated with those threats.
3. Introduction
Some hundreds of years ago, we would have been
making living on agriculture.
Say a hundred years ago you were likely to be
making a living working in a factory.
Today, we live in the information age where
everyone has a job somehow connected to
information stored in digital form on a network.
4. The History Of Information
Security
Computer security began immediately after the
first mainframes were developed
Physical controls were needed to limit access to
authorized personnel to sensitive military
locations
Only rudimentary controls were available to
defend against physical theft, espionage, and
sabotage
5. The 1960s
• Department of Defense’s Advanced Research
Project Agency (ARPA) began examining the
feasibility of a redundant networked communi
cations
7. The 1970s and 80s
• ARPANET grew in popularity as did its potential
for misuse
• Fundamental problems with ARPANET security
were identified
– No safety procedures for dial-up connections
to the ARPANET
– User identification and authorization to the
system were non-existent
• In the late 1970s the microprocessor expanded
computing capabilities and security threats
8. R-609 – The Start of the Study of
Computer Security
• Information Security began with Rand Report
R-609
• The scope of computer security grew from
physical security to include:
– Safety of the data
– Limiting unauthorized access to that data
– Involvement of personnel from multiple levels of
the organization
9. The 1990s
• Networks of computers became more
common, so too did the need to interconnect
the networks
• Resulted in the Internet, the first
manifestation of a global network of networks
• In early Internet deployments, security was
treated as a low priority
10. The Present
• The Internet has brought millions of computer
networks into communication with each
other – many of them unsecured
• Ability to secure each now influenced by the
security on every computer to which it is
connected
11. What is Security?
The quality or state of being secure—to be fre
e from danger
A successful organization should have multipl
e layers of security in place:
• Physical security
• Personal security
• Operations security
• Communications security
• Network security
• Information security
12. Critical Characteristics of Information
• The value of information comes from the char
acteristics it possesses:
– Availability
– Accuracy
– Authenticity
– Confidentiality
– Integrity
– Utility
– Possession
13. Components of an Information System
• Information system (IS) is the entire set of
software, hardware, data, people, procedures,
and networks necessary to use information as
a resource in the organisation
14. Bottom Up Approach
• Security from a grass-roots effort - systems
administrators attempt to improve the security
of their systems
• Key advantage - technical expertise of the
individual administrators
• Seldom works, as it lacks a number of critical
features:
– participant support
– organizational staying power
15. Top-down Approach
• Initiated by upper management:
– issue policy, procedures, and processes
– dictate the goals and expected outcomes of the
project
– determine who is accountable for each of the
required actions
• This approach has strong upper management support,
a dedicated champion, dedicated funding, clear
planning, and the chance to influence organizational
culture
• May also involve a formal development strategy
referred to as a systems development life cycle
– Most successful top-down approach
17. The Systems Development Life
Cycle
• Information security must be managed in a
manner similar to any other major system
implemented in the organization
• Using a methodology
– ensures a rigorous process
– avoids missing steps
• The goal is creating a comprehensive security
posture/program
18. The Security Systems Development Life Cycle
• The same phases used in traditional SDLC may be adapte
d to support specialized implementation of an IS project
• Investigation
• Analysis
• Logical design
• Physical design
• Implementation
• Maintenance & change
• Identification of specific threats and creating controls to
counter them
• SecSDLC is a coherent program rather than a seri
es of random, seemingly unconnected actions
20. Investigation
• Identifies process, outcomes, goals, and const
raints of the project
• Begins with enterprise information security po
licy
• Organizational feasibility analysis is performed
21. Analysis
• Documents from investigation phase are studied
• Analyzes existing security policies or programs, a
long with documented current threats and assoc
iated controls
• Includes analysis of relevant legal issues that co
uld impact design of the security solution
• The risk management task begins
22. Logical Design
• Creates and develops blueprints for information secu
rity
• Incident response actions planned:
– Continuity planning
– Incident response
– Disaster recovery
• Feasibility analysis to determine whether project sho
uld continue or be outsourced
23. Physical Design
• Needed security technology is evaluated,
alternatives generated, and final design
selected
• At end of phase, feasibility study determines
readiness of organization for project
24. Implementation
• Security solutions are acquired, tested,
implemented, and tested again
• Personnel issues evaluated; specific training
and education programs conducted
• Entire tested package is presented to
management for final approval
25. Maintenance and Change
• Perhaps the most important phase, given the
ever-changing threat environment
• Often, reparation and restoration of information
is a constant duel with an unseen adversary
• Information security profile of an organization
requires constant adaptation as new threats
emerge and old threats evolve
26. Professionals involved in information security
within an organization
Senior Management
Chief Information Officer (CIO)
• Senior technology officer
• Primarily responsible for advising senior executives on
strategic planning
Chief Information Security Officer (CISO)
• Primarily responsible for assessment, management, an
d implementation of IS in the organization
• Usually reports directly to the CIO
27. Information Security Project Team
A number of individuals who are experienced
in one or more facets of required technical an
d nontechnical areas:
• Champion
• Team leader
• Security policy developers
• Risk assessment specialists
• Security professionals
• Systems administrators
• End users
28. Data Ownership
• Data owner: responsible for the security and u
se of a particular set of information
• Data custodian: responsible for storage, maint
enance, and protection of information
• Data users: end users who work with informat
ion to perform their daily jobs supporting the
mission of the organization
29. What is Information Security?
• “The concepts, techniques, technical measures, and adminis
trative measures used to protect information assets from deli
berate or inadvertent unauthorised acquisition, damage, discl
osure, manipulation, modification, loss, or use is information
security.”
or
• means protecting information and information systems from
unauthorised access, use, disclosure, modification or destructi
on.
or
• Implementing suitable controls - policies, practices, procedur
es, organisational structures, software, etc, to secure informa
tion for any information user.
30. • The protection of information and its critical e
lements, including systems and hardware that
use, store, and transmit that information
• Necessary tools: policy, awareness, training, e
ducation, technology
• C.I.A. triangle was standard based on confiden
tiality, integrity, and availability
• C.I.A. triangle now expanded into list of critica
l characteristics of information
31. How Can Information Security Be Achieved
Access to
network resource
will be granted
through a unique
user ID and
password
Passwords
will be 8
characters
long
Passwords
should include
one non-alpha
and not found
in dictionary
Information Security is achieved by implementing a suitable set of controls, which
could be:
These controls need to be established in order to ensure that the specific security
objectives of the organization are met.
32. Information Security Goals
Confidentiality - making sure that those who should
not see the information can not see it.
Integrity - making sure the information has not been
changed from how it was intended to be.
Availability – making sure the information is available
for use when needed.
34. Securing Components
• Computer can be subject of an attack and/or the obj
ect of an attack
– When the subject of an attack, computer is used as an
active tool to conduct attack
– When the object of an attack, computer is the entity b
eing attacked
36. Balancing Information Security and Access
• Impossible to obtain perfect security—it is a p
rocess, not an absolute
• Security should be considered balance betwee
n protection and availability
• To achieve balance, level of security must allo
w reasonable access, yet protect against threa
ts
38. The Need for Information Security
Business Needs First
Technology Needs Last
Information security performs three important functions
for an organization:
• Protects the organization‘s ability to function
– Communities of interest must argue for information security in ter
ms of impact and cost
• Enables the safe operation of applications implemented on
the organization‘s IT systems
– Organizations must create integrated, efficient, and capable applic
ations
– Organization need environments that safeguard applications
39. • Protects the data the organization collects and
uses
– One of the most valuable assets is data
– Without data, an organization loses its record of trans
actions and/or its ability to deliver value to its custom
ers
– An effective information security program is essential
to the protection of the integrity and value of the orga
nization‘s data
Technology Needs
• Safeguards the technological assets in use at the organi
zation
• Organizations must have secure infrastructure services b
ased on the size and scope of the enterprise
40. Areas of Information System Security
Data security
Computer security
LAN or Network security
Internet security
41. Major Threats & Issues
Basic Threats
Theft of password
E-mail based threats
E-mail based extortion
Launch of malicious codes (trojans)
42. Corporate threats
• Web defacement
• Corporate espionage
• Website based launch of malicious code cheating and fraud
• Exchange of criminal ideas and tools
• Cyber harassment
• Forge websites
Online threats
• E-mail spamming
• Theft of software and electronic records
• Cyber stalking
• E-mail bombing
• Denial of service attacks
43. Protecting your computer and network
Physical security
Securing desktop computers
Securing laptops/notebooks/handheld computers
Securing network security
Software security
Protect against internet intruders with firewall
s and IDS
Protect against viruses and other malware
Protect against spyware and adware
Protect against unwanted email
44. General spam protection practices
Do not give out your email address indiscriminately
Leave your email signature line blank if you post to a
newsgroup
Do not reply to junk messages
Do not open obvious spam mails
Report to appropriate person – systems administrator