1

Introduction to Information Security

2

Introduction to Information Security

• Historical aspects of InfoSec

• Critical characteristics of information

• CNSS security model

• Systems development life cycle for InfoSec

• Organizational influence on InfoSec

3

Historical Aspects of InfoSec• Earliest InfoSec was physical security• In early 1960, a systems administrator worked on

Message of the Day (MOTD) and another person with administrative privileges edited the password file. The password file got appended to the MOTD.

• In the 1960s, ARPANET was developed to network computers in distant locations

• MULTICS operating systems was developed in mid-1960s by MIT, GE, and Bell Labs with security as a primary goal

4

Historical Aspects of InfoSec• In the 1970s, Federal Information Processing

Standards (FIPS) examines DES (Data Encryption Standard) for information protection

• DARPA creates a report on vulnerabilities on military information systems in 1978

• In 1979 two papers were published dealing with password security and UNIX security in remotely shared systems

• In the 1980s the security focus was concentrated on operating systems as they provided remote connectivity

5

Historical Aspects of InfoSec

• In the 1990s, the growth of the Internet and the growth of the LANs contributed to new threats to information stored in remote systems

• IEEE, ISO, ITU-T, NIST and other organizations started developing many standards for secure systems

• Information security is the protection of information and the systems and hardware that use, store, and transmit information

6

CNSS Model

• CNSS stands for Committee on National Security Systems (a group belonging to the National Security Agency [NSA]). CNSS has developed a National Security Telecommunications and Information Systems Security (NSTISSI) standards.

• NSTISSI standards are 4011, 4012, 4013, 4014, 4015, 4016. U of L has met the 4011 and 4012 standards in the InfoSec curriculum.

7

CNSS Security Model

Storage Processing Transmission

Confidentiality

Integrity

Availability

Technology

Education

Policy

8

CNSS Security Model

• The model identifies a 3 x 3 x 3 cube with 27 cells• Security applies to each of the 27 cells• These cells deal with people, hardware, software, data, and

procedures• A hacker uses a computer (hardware) to attack another

computer (hardware). Procedures describe steps to follow in preventing an attack.

• An attack could be either direct or indirect• In a direct attack one computer attacks another. In an

indirect attack one computer causes another computer to launch an attack.

9

Systems Development Life Cycle for InfoSec

• SDLC for InfoSec is very similar to SDLC for any project

• The Waterfall model would apply to InfoSec as well

• Investigation phase involves feasibility study based on a security program idea for the organization

• Analysis phase involves risk assessment• Logical design phase involves continuity

planning, disaster recovery, and incident response

10

Systems Development Life Cycle for InfoSec

• Physical design phase involves considering alternative options possible to construct the idea of the physical design

• Implementation phase is very similar to the SDLC model, namely put into practice the design

• Maintenance phase involves implementing the design, evaluating the functioning of the system, and making changes as needed

11

SDLC Waterfall model

Investigate

Analyze

Logical Design

Physical Design

Implement

Maintain

12

Organizational influence on InfoSec

• Security policies must be compatible with organizational culture

• Information security related professionals have the mission of protecting the system

• Information technology professionals who use the systems have a different set of values when it comes to security

• The two values must be meshed together by appropriate changes to policies and procedures

13

References

• CNSS standard www.nstissc.gov/html/library.html

• P. Salus, “Net Insecurity”, 1998 http://www.nluug.nl/events/sane98/aftermath/salus.html

• D. Verton, “Staffing costs spur security outsourcing,” Computerworld 35, #11, March 2001, page 20