Fundamentals of Information Systems Security Chapter 1

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Fundamentals of Information
Systems Security
Lesson 1
Information Systems Security

Fundamentals of Information Systems Security
www.jblearning.com
Page 2Fundamentals of Information Systems Security
www.jblearning.com
Learning Objective(s)
 Explain information systems security and
its effect on people and businesses.

www.jblearning.com
www.jblearning.com
Key Concepts
 Information systems security concepts
 Confidentiality, integrity, and availability (CIA)
 The seven domains of an IT infrastructure
 The weakest link in the security of an IT
infrastructure
 IT security policy framework and data
classification standard

www.jblearning.com
www.jblearning.com
Information Systems Security
Internet
• Is a worldwide network with more than 2 billion users
• Includes governments, businesses, and
organizations
• Links communication networks to one another
World Wide Web
• A system that defines how documents and
resources are related across network machines

www.jblearning.com
www.jblearning.com
Recent Data Breaches: Examples
Adobe Systems Incorporated, 2013
• Hackers published data for 150 million accounts
• Stole encrypted customer credit card data
• Compromised login credentials
U.S. Office of Personnel Management, 2015
• Data breach impacted 22 million people
• Stole SSNs, names, places of birth, addresses
• Millions must be monitored for identity theft for years

www.jblearning.com
www.jblearning.com
Cyberspace: The New Frontier

www.jblearning.com
www.jblearning.com
Internet of Things (IoT)

www.jblearning.com
www.jblearning.com
Risks, Threats, and Vulnerabilities
•Likelihood that something bad will
happen to an assetRisk
•Any action that could damage an assetThreat
•A weakness that allows a threat to be
realized or to have an effect on an assetVulnerability

www.jblearning.com
www.jblearning.com
What Is Information Systems
Security?
•Hardware, operating system, and
application software that work together
to collect, process, and store data for
individuals and organizations
Information
system
•The collection of activities that protect
the information system and the data
stored in it
Information
system
security

www.jblearning.com
www.jblearning.com
U.S. Compliance Laws Drive Need
for Information Systems Security

www.jblearning.com
www.jblearning.com
Tenets of Information Systems
Security

www.jblearning.com
www.jblearning.com
Confidentiality
Private data
of
individuals
Intellectual
property of
businesses
National
security for
countries
and
government

www.jblearning.com
www.jblearning.com
Confidentiality (cont.)
•Practice of hiding data and keeping
it away from unauthorized usersCryptography
•The process of transforming data
from cleartext into ciphertextEncryption
•The scrambled data that are the
result of encrypting cleartextCiphertext

www.jblearning.com
www.jblearning.com
Encryption of Cleartext into
Ciphertext

www.jblearning.com
www.jblearning.com
Integrity
Maintain valid, uncorrupted, and accurate
information

www.jblearning.com
www.jblearning.com
Availability
In the context of information security
• The amount of time users can use a system,
application, and data

www.jblearning.com
www.jblearning.com
Availability Time Measurements
Uptime
Downtime
Availability [A = (Total Uptime)/(Total Uptime + Total Downtime)]
Mean time to failure (MTTF)
Mean time to repair (MTTR)
Mean time between failures (MTBF)
Recovery time objective (RTO)

www.jblearning.com
www.jblearning.com
Seven Domains of a Typical IT
Infrastructure

www.jblearning.com
www.jblearning.com
User Domain
Roles and tasks
• Users can access systems, applications, and data
depending upon their defined access rights.
Responsibilities
• Employees are responsible for their use of IT assets.
Accountability
• HR department is accountable for implementing proper
employee background checks.

www.jblearning.com
www.jblearning.com
Common Threats in the User Domain
 Lack of user awareness
 User apathy toward policies
 User violating security policy
 User inserting CD/USB with personal files
 User downloading photos, music, or videos
 User destructing systems, applications, and data
 Disgruntled employee attacking organization or
committing sabotage
 Employee blackmail or extortion

www.jblearning.com
www.jblearning.com
Workstation Domain
Roles and tasks
• Configure hardware, harden systems, and verify
antivirus files.
Responsibilities
• Ensure the integrity of user workstations and data.
Accountability
• Director of IT security is generally in charge of ensuring
that the Workstation Domain conforms to policy.

www.jblearning.com
www.jblearning.com
Common Threats in the Workstation
Domain
 Unauthorized workstation access
 Unauthorized access to systems, applications,
and data
 Desktop or laptop operating system vulnerabilities
 Desktop or laptop application software
vulnerabilities or patches
 Viruses, malicious code, and other malware
 User inserting CD/DVD/USB with personal files
 User downloading photos, music, or videos

www.jblearning.com
www.jblearning.com
LAN Domain
Roles and tasks
• Includes both physical network components and logical
configuration of services for users.
Responsibilities
• LAN support group is in charge of physical components
and logical elements.
Accountability
• LAN manager’s duty is to maximize use and integrity of
data within the LAN Domain.

www.jblearning.com
www.jblearning.com
Common Threats in the LAN Domain
 Unauthorized physical access to LAN
 Unauthorized access to systems, applications,
and data
 LAN server operating system vulnerabilities
 LAN server application software vulnerabilities
and software patch updates
 Rogue users on WLANs
 Confidentiality of data on WLANs
 LAN server configuration guidelines and
standards

www.jblearning.com
www.jblearning.com
LAN-to-WAN Domain
Roles and tasks
• Includes both the physical pieces and logical design of
security appliances. Physical parts need to be managed to
give easy access to the service.
Responsibilities
• Physical components, logical elements, and applying the
defined security controls.
Accountability
• Ensure that LAN-to-WAN Domain security policies,
standards, procedures, and guidelines are used.

www.jblearning.com
www.jblearning.com
 Unauthorized probing and port scanning
 Unauthorized access
 IP router, firewall, and network appliance
operating system vulnerability
 Download of unknown file type attachments from
unknown sources
 Unknown email attachments and embedded URL
links received by local users
Common Threats in the
LAN-to-WAN Domain

www.jblearning.com
www.jblearning.com
WAN Domain
Roles and tasks
• Allow users the most access possible while making
sure what goes in and out is safe.
Responsibilities
• Physical components and logical elements.
Accountability
• Maintain, update, and provide technical support and
ensure that the company meets security policies,
standards, procedures, and guidelines.

www.jblearning.com
www.jblearning.com
 Open, public, and accessible data
 Most traffic being sent as cleartext
 Vulnerable to eavesdropping
 Vulnerable to malicious attacks
 Vulnerable to denial of service
(DoS) and distributed denial of
service (DDoS) attacks
 Vulnerable to corruption of information/data
 Insecure TCP/IP applications
Common Threats in the WAN
Domain (Internet)

www.jblearning.com
www.jblearning.com
 Commingling of WAN IP traffic on the same
service provider router and infrastructure
 Maintaining high WAN service availability
 Using SNMP network management
applications and protocols maliciously (ICMP,
Telnet, SNMP, DNS, etc.)
 SNMP alarms and security monitoring 24 X 7
X 365
Common Threats in the WAN
Domain (Connectivity)

www.jblearning.com
www.jblearning.com
Remote Access Domain
Roles and tasks
• Connect mobile users to their IT systems through the
public Internet.
Responsibilities
• Maintain, update, and troubleshoot the hardware and
logical remote access connection.
Accountability
• Ensure that the Remote Access Domain security plans,
standards, methods, and guidelines are used.

www.jblearning.com
www.jblearning.com
 Brute-force user ID and password attacks
 Multiple logon retries and access control attacks
 Unauthorized remote access to IT systems,
applications, and data
 Confidential data compromised remotely
 Data leakage in violation of data classification
standards
Common Threats in the Remote
Access Domain

www.jblearning.com
www.jblearning.com
System/Application Domain
Roles and tasks
• Includes hardware and its logical design.
• Secure mission-critical applications and intellectual property
assets both physically and logically.
Responsibilities
• Server systems administration, database design and
management, designing access rights to systems and
applications, and more.
Accountability
• Ensure that security policies, standards, procedures, and
guidelines are in compliance.

www.jblearning.com
www.jblearning.com
 Unauthorized access to data centers, computer
rooms, and wiring closets
 Downtime of servers to perform maintenance
 Server operating systems software vulnerability
 Insecure cloud computing virtual environments by
default
 Corrupt or lost data
 Loss of backed-up data as backup media are
reused
Common Threats in the
System/Application Domain

www.jblearning.com
www.jblearning.com
Weakest Link in the Security of an IT
Infrastructure
User is weakest link in security
• Check background of job candidates carefully.
• Evaluate staff regularly.
• Rotate access to sensitive systems, applications, and
data among staff positions.
• Test applications and software and review for quality
• Regularly review security plans.
• Perform annual security control audits.
Strategies for reducing risk

www.jblearning.com
www.jblearning.com
Ethics and the Internet
 Human behavior online is often less mature
than in normal social settings
 Demand for systems security professionals is
growing so rapidly
 U.S. government and Internet Architecture
Board (IAB) defined a policy regarding
acceptable use of Internet geared toward U.S.
citizens
• Policy is not a law or mandated

www.jblearning.com
www.jblearning.com
IT Security Policy Framework
• A short written statement that defines a course of
action that applies to entire organization
•Policy
• A detailed written definition of how software and
hardware are to be used
Standard
• Written instructions for how to use policies and
standards
Procedures
• Suggested course of action for using policy,
standard, or procedure
Guidelines

www.jblearning.com
www.jblearning.com
Hierarchical IT Security Policy
Framework

www.jblearning.com
www.jblearning.com
Foundational IT Security Policies
Acceptable use policy (AUP)
 Security awareness policy
 Asset classification policy
 Asset protection policy
 Asset management policy
 Vulnerability assessment/management
 Threat assessment and monitoring

www.jblearning.com
www.jblearning.com
•Data about people that must be
kept privatePrivate data
•Information or data owned by the
organizationConfidential
•Information or data shared
internally by an organization
Internal use
only
•Information or data shared with the
public
Public domain
data
Data Classification Standards

www.jblearning.com
www.jblearning.com
Summary
 Information systems security concepts
 Confidentiality, integrity, and availability (CIA)
 The seven domains of an IT infrastructure
 The weakest link in the security of an IT
infrastructure
 IT security policy framework and data
classification standard

Fundamentals of Information Systems Security Chapter 1

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Fundamentals of Information Systems Security Chapter 1

Similar to Fundamentals of Information Systems Security Chapter 1 (20)

More from Dr. Ahmed Al Zaidy

More from Dr. Ahmed Al Zaidy (20)

Recently uploaded

Recently uploaded (20)

Fundamentals of Information Systems Security Chapter 1