Introduction to Information Security

1. 1 Introduction to Information Security

2. 2 Introduction to Information Security Historical aspects of InfoSec Critical characteristics of information CNSS security model Systems development life cycle for InfoSec Organizational influence on InfoSec

3. 3 Historical Aspects of InfoSec Earliest InfoSec was physical security In early 1960, a systems administrator worked on Message of the Day (MOTD) and another person with administrative privileges edited the password file. The password file got appended to the MOTD. In the 1960s, ARPANET was developed to network computers in distant locations MULTICS operating systems was developed in mid-1960s by MIT, GE, and Bell Labs with security as a primary goal

4. 4 Historical Aspects of InfoSec In the 1970s, Federal Information Processing Standards (FIPS) examines DES (Data Encryption Standard) for information protection DARPA creates a report on vulnerabilities on military information systems in 1978 In 1979 two papers were published dealing with password security and UNIX security in remotely shared systems In the 1980s the security focus was concentrated on operating systems as they provided remote connectivity

5. 5 Historical Aspects of InfoSec In the 1990s, the growth of the Internet and the growth of the LANs contributed to new threats to information stored in remote systems IEEE, ISO, ITU-T, NIST and other organizations started developing many standards for secure systems Information security is the protection of information and the systems and hardware that use, store, and transmit information

6. 6 Critical Characteristics of Information An early security standard was known as the C.I.A. (Confidentiality, Integrity, Availability) triangle Availability means that an authorized user who needs information has access to it when needed without interference or obstruction To make information available to proper users one needs to authenticate the user, often remotely and in an automated manner

7. 7 Critical Characteristics of Information Accuracy of information relates to its reliability, i.e., it is free from mistakes or errors E.g., everyone expect their bank statement to reflect accurate information Authenticity of information refers to the quality of the information. This refers to the information being first hand. E.g., email is considered authentic if the sender is one whom you recognize. Confidentiality of information refers to not falling into the hands of unauthorized people

8. 8 Critical Characteristics of Information Ways to protect confidentiality are: Classification of information (e.g., top secret, managers only, no foreign government) Secure storage Training for information handlers for protecting confidentiality Integrity of information refers to the quality of information as uncorrupted and reliable. Integrity of information could be compromised by people handling it or by errors in communicating devices or the medium of communication.

9. 9 Critical Characteristics of Information Utility of information refers to timeliness or relevance to the party using the information Ownership of information refers to the person or group that controls information as it was responsible for its creation

10. 10 CNSS Model CNSS stands for Committee on National Security Systems (a group belonging to the National Security Agency [NSA]). CNSS has developed a National Security Telecommunications and Information Systems Security (NSTISSI) standards. NSTISSI standards are 4011, 4012, 4013, 4014, 4015, 4016. U of L has met the 4011 and 4012 standards in the InfoSec curriculum.

11. 11 CNSS Security Model