Information Security : Is it an Art or a Science ?
What is Security ?
What is Information Security ?
Brief History : Information Security
Present Day : InfoSec
Why InfoSec is important ?
What is Information Assurance ?
Prevention , Detection , Response
WHAT IS SECURITY ?
quality or state of being secure to be
free from danger”
To be protected from adversaries
A successful organization should have
multiple layers of security in place:
WHAT IS INFORMATION SECURITY ?
The protection of information and its critical
elements, including the systems and hardware
that use, store, and transmit that information
Tools, such as policy, awareness, training,
education, and technology are necessary
The C.I.A. triangle was the standard based on
Confidentiality, Integrity, and Availability
BRIEF HISTORY OF INFORMATION SECURITY
Computer security began immediately after the
first mainframes were developed
Groups developing code-breaking computations
during World War II created the first modern
Physical controls were needed to limit access to
authorized personnel to sensitive military
Only limited controls were available to defend
against physical theft, espionage, and sabotage
The "Enigma" machines, which
scramble messages into codes,
were best known for their use
by the German military during
Many models were made and
there were complex additions
to the machines during the
war, but British code breakers
managed to crack the "Enigma"
PRESENT DAY : INFORMATION SECURITY
Internet has brought millions of
computer networks into communication
with each other – many of them
to secure each now influenced by
the security on every computer to which it
WHY INFORMATION SECURITY IS IMPORTANT ?
Governments, commercial businesses, and individuals
are all storing information electronically
compact, instantaneous transfer, easy access
Ability to use information more efficiently has
resulted in a rapid increase in the value of
Information stored electronically faces new and
potentially more damaging security threats
can potentially be stolen from a remote location
much easier to intercept and alter electronic
communication than its paper-based predecessors
WHAT IS INFORMATION ASSURANCE ?
The act of ensuring that data is not lost when critical
These issues include natural disasters,
computer/server malfunction, physical theft, or any
other instance where data has the potential of being
Common method of providing information assurance is to
have an off-site backup of the data in case one of the
mentioned issues arise.
SECURITY SERVICES :
WHAT TYPES OF PROBLEMS CAN OCCUR?
“the assurance that information is not disclosed to
unauthorized persons, processes or devices.”
“the assurance that data can not be created, changed, or
deleted without proper authorization”
“Timely, reliable access to data and information
services for authorized users.”
“Designed to establish the validity of a transmission,
message, or originator, or a means of verifying an
individual’s authorizations to receive specific categories
“The assurance the sender of the data is provided with proof of
delivery and the recipient is provided with proof of the sender’s
identity, so neither can later deny having processed the data”
Examples where non-repudiation is lacking include:
- An online shopper purchases and downloads a software package,
but later claims he never downloaded it.
- An online shopper purchases and downloads a software package
that he later finds out was corrupted, but he later finds out the
seller was not who he expected, but instead was a “man in the
INFORMATION STATES :
WHERE IS THE DATA?
Time in which the data is in transit between processing/process
Time during which data is on a persistent medium such as a
hard drive or tape.
Time during which the data is actually in the control of a
SECURITY COUNTERMEASURES :
WHO CAN ENFORCE /CHECK SECURITY?
Policy and Practice
The heart and soul of secure systems.
Awareness, literacy, training, education in sound
Must follow policy and practice or the systems
will be compromised no matter how good the
Both strength and vulnerability.
POLICY AND PRACTICE
Especially vulnerable to misconfiguration and other “human”
Establishment of policy and access control
who: identification, authentication, authorization
what: granted on “need-to-know” basis
Implementation of hardware, software, and
users cannot override, unalterable (attackers cannot
defeat security mechanisms by changing them)
examples of preventative mechanisms
passwords - prevent unauthorized system access
- prevent unauthorized network access
encryption - prevents breaches of confidentiality
physical security devices - prevent theft
PREVENTION IS NOT ENOUGH!
Prevention systems are never perfect.
No bank ever says: "Our safe is so good, we don't need
an alarm system."
No museum ever says: "Our door and window locks are
so good, we don't need night watchmen.“
Detection and response are how we get security in
the real world, and they're the only way we can possibly
get security in the cyberspace world.
Counterpane Internet Security, Inc.
Determine that either an attack is underway or
has occurred and report it
or, as close as possible
monitor attacks to provide data about their nature,
severity, and results
Intrusion verification and notification
intrusion detection systems (IDS)
typical detection systems monitor various aspects of
the system, looking for actions or information
indicating an attack
example: denial of access to a system when user repeatedly
enters incorrect password
Stop/contain an attack
must be timely!
incident response plan developed in advance
Assess and repair any damage
Resumption of correct operation
Evidence collection and preservation
strengthens future security measures