This document discusses information security and whether it is an art or a science. It begins with definitions of security and information security, focusing on protecting information systems and data. It then provides a brief history of information security, from its origins in code breaking during World War II to the increased threats in the modern internet era. The document outlines key information security concepts like confidentiality, integrity, and availability. It also discusses security services, information states, security countermeasures, and the importance of prevention, detection and response.

1. Information Security : Is it an Art or a Science ?
1
by
Pankaj Rane
Research Associate(IDRBT)

2. AGENDA
What is Security ?
 What is Information Security ?
 Brief History : Information Security
 Present Day : InfoSec
 Why InfoSec is important ?
 What is Information Assurance ?
 Security Services
 Information States
 Security Countermeasures
 Prevention , Detection , Response
 References

2

3. WHAT IS SECURITY ?
 “The
quality or state of being secure to be
free from danger”
 To be protected from adversaries
 A successful organization should have
multiple layers of security in place:





Physical security
Personal security
Operations security
Communications security
Network security
3

4. Fig.1 Spheres of security
4

5. WHAT IS INFORMATION SECURITY ?



The protection of information and its critical
elements, including the systems and hardware
that use, store, and transmit that information
Tools, such as policy, awareness, training,
education, and technology are necessary
The C.I.A. triangle was the standard based on
Confidentiality, Integrity, and Availability
5

6. C.I.A. Triangle
6

7. BRIEF HISTORY OF INFORMATION SECURITY




Computer security began immediately after the
first mainframes were developed
Groups developing code-breaking computations
during World War II created the first modern
computers
Physical controls were needed to limit access to
authorized personnel to sensitive military
locations
Only limited controls were available to defend
against physical theft, espionage, and sabotage
7

8. The "Enigma" machines, which
scramble messages into codes,
were best known for their use
by the German military during
WWII.
Many models were made and
there were complex additions
to the machines during the
war, but British code breakers
managed to crack the "Enigma"
code.
8

9. PRESENT DAY : INFORMATION SECURITY
 The
Internet has brought millions of
computer networks into communication
with each other – many of them
unsecured
 Ability
to secure each now influenced by
the security on every computer to which it
is connected
9

10. WHY INFORMATION SECURITY IS IMPORTANT ?

Governments, commercial businesses, and individuals
are all storing information electronically



compact, instantaneous transfer, easy access
Ability to use information more efficiently has
resulted in a rapid increase in the value of
information
Information stored electronically faces new and
potentially more damaging security threats
can potentially be stolen from a remote location
 much easier to intercept and alter electronic
communication than its paper-based predecessors

10

11. WHAT IS INFORMATION ASSURANCE ?



The act of ensuring that data is not lost when critical
issues arise.
These issues include natural disasters,
computer/server malfunction, physical theft, or any
other instance where data has the potential of being
lost.
Common method of providing information assurance is to
have an off-site backup of the data in case one of the
mentioned issues arise.
11

12. SECURITY SERVICES :
WHAT TYPES OF PROBLEMS CAN OCCUR?
Confidentiality
 Integrity
 Availability
 Authentication
 Non Repudiation

12

13. CONFIDENTIALITY
“the assurance that information is not disclosed to
unauthorized persons, processes or devices.”
INTEGRITY
“the assurance that data can not be created, changed, or
deleted without proper authorization”
AVAILABILITY
“Timely, reliable access to data and information
services for authorized users.”
AUTHENTICATION
“Designed to establish the validity of a transmission,
message, or originator, or a means of verifying an
individual’s authorizations to receive specific categories
of information”
13

14. NON-REPUDIATION
“The assurance the sender of the data is provided with proof of
delivery and the recipient is provided with proof of the sender’s
identity, so neither can later deny having processed the data”
Examples where non-repudiation is lacking include:
- An online shopper purchases and downloads a software package,
but later claims he never downloaded it.
- An online shopper purchases and downloads a software package
that he later finds out was corrupted, but he later finds out the
seller was not who he expected, but instead was a “man in the
middle”.
14

15. INFORMATION STATES :
WHERE IS THE DATA?
Transmission
 Storage
 Processing

15

16. TRANSMISSION
Time in which the data is in transit between processing/process
steps.
STORAGE
Time during which data is on a persistent medium such as a
hard drive or tape.
PROCESSING
Time during which the data is actually in the control of a
processing step.
16

17. Fig.NSTISSC Security Model
17

18. SECURITY COUNTERMEASURES :
WHO CAN ENFORCE /CHECK SECURITY?
People
 Policy and Practice
 Technology

18

19. PEOPLE
The heart and soul of secure systems.
 Awareness, literacy, training, education in sound
practice.
 Must follow policy and practice or the systems
will be compromised no matter how good the
design!
 Both strength and vulnerability.

19

20. POLICY AND PRACTICE
System users
 System administrators
 Software conventions
 Trust validation

20

21. TECHNOLOGY

Evolves rapidly

Crypto systems

Hardware

Software

Network





Platform




Firewalls
Routers
Intrusion detection
Other….
Operating systems
Transaction monitoring
Other….
Especially vulnerable to misconfiguration and other “human”
errors.
21

22. PREVENTION

Establishment of policy and access control
who: identification, authentication, authorization
 what: granted on “need-to-know” basis


Implementation of hardware, software, and
services
users cannot override, unalterable (attackers cannot
defeat security mechanisms by changing them)
 examples of preventative mechanisms

passwords - prevent unauthorized system access
 firewalls
- prevent unauthorized network access
 encryption - prevents breaches of confidentiality
 physical security devices - prevent theft


Maintenance
22

23. PREVENTION IS NOT ENOUGH!
Prevention systems are never perfect.
No bank ever says: "Our safe is so good, we don't need
an alarm system."
No museum ever says: "Our door and window locks are
so good, we don't need night watchmen.“
Detection and response are how we get security in
the real world, and they're the only way we can possibly
get security in the cyberspace world.
Bruce Schneier,
Counterpane Internet Security, Inc.
23

24. DETECTION
Determine that either an attack is underway or
has occurred and report it
 Real-time monitoring

or, as close as possible
 monitor attacks to provide data about their nature,
severity, and results


Intrusion verification and notification
intrusion detection systems (IDS)
 typical detection systems monitor various aspects of
the system, looking for actions or information
indicating an attack


example: denial of access to a system when user repeatedly
enters incorrect password
24

25. RESPONSE

Stop/contain an attack

must be timely!

incident response plan developed in advance
Assess and repair any damage
 Resumption of correct operation
 Evidence collection and preservation


very important
identifies vulnerabilities
 strengthens future security measures

25

26. REFERENCES
[1] http://www.informit.com/isapi/articles/index.asp {InformIT Reference
Guides}
[2]http://www.cs.duke.edu/courses/summer04/cps001/lectures/Lecture15.ppt
[3]http://www.acc.ncku.edu.tw/chinese/faculty/shulc/courses/cas/Whitman/ch
ap01.ppt
[4] http://en.wikipedia.org/wiki/Information_security
[5] http://en.wikipedia.org/wiki/NSTISSC
26

27. THANK YOU !!!
27

28. QUERIES ???
28