Introduction to Information Security

1. Introduction to Information Security Module 1

2. Objectives Definitions of information technology and information security Fundamental Security Concepts Ethics of IT Security This lesson is designed to provide an introductory background to three basic security concepts that help to shape information security practices.This lesson is designed to provide an introductory background to three basic security concepts that help to shape information security practices.

3. Definitions Information Technology Term used to describe computers and automated data processing Information Security Protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability

4. CIA Triad Fundamental Characteristics Confidentiality Only those that should have access to data do Integrity Ensures the data has not be changed Availability Data is accessible when needed The �CIA triad� is not the moniker for a secretive government agency � it�s a widely used Information Security/Assurance (IA) model. This model identifies three key areas as fundamental characteristics for IA: Confidentiality, Integrity, and Availability. These three areas complement each other and help to frame information security practices. When securing information systems, you want to ensure all three areas are addressed � if information is corrupt but available that�s bad, if data is available but corrupted that�s bad, and so on. CIA triad is a widely-used information assurance (IA) model which identifies confidentiality, integrity and availability as the fundamental security characteristics of information. The three characteristics of the idealized model are also referred to as IA services, goals, aims, tenets or capabilities. The �CIA triad� is not the moniker for a secretive government agency � it�s a widely used Information Security/Assurance (IA) model. This model identifies three key areas as fundamental characteristics for IA: Confidentiality, Integrity, and Availability. These three areas complement each other and help to frame information security practices. When securing information systems, you want to ensure all three areas are addressed � if information is corrupt but available that�s bad, if data is available but corrupted that�s bad, and so on. CIA triad is a widely-used information assurance (IA) model which identifies confidentiality, integrity and availability as the fundamental security characteristics of information. The three characteristics of the idealized model are also referred to as IA services, goals, aims, tenets or capabilities.

5. Confidentiality Assurance of data privacy Only the intended and authorized recipients (individuals, processes, or devices) may access and read the data. Disclosure to unauthorized entities, for example using unauthorized network sniffing, is a confidentiality violation. Often provided through the use of cryptographic techniques Confidentiality addresses privacy of data � making sure only those that should have access to something have access to that something. Imagine you create a document containing all your accounts and passwords in it. You wouldn�t want everyone in the world to be able to open and read that document � you would want it to be kept �private� and safe from prying eyes. That is the goal of confidentiality - protecting data and ensuring only authorized people, computers, or processes can access the data. Confidentiality is sometimes achieved by encrypting data. Data can be encrypted during transmission � when you buy something on-line from a website that uses SSL for example. Data can also be encrypted �at rest� when it�s sitting in a file on your PC or inside a database. Encryption helps protect data by ensuring only those with the proper key to decrypt the data can actually read it. If you encrypted that document with all your accounts and passwords in it, it would look like a bunch of random characters to anyone else who managed to open it or get a copy of it. Only those with the correct decryption key would be able to turn it from a collection of random characters into a readable document.Confidentiality addresses privacy of data � making sure only those that should have access to something have access to that something. Imagine you create a document containing all your accounts and passwords in it. You wouldn�t want everyone in the world to be able to open and read that document � you would want it to be kept �private� and safe from prying eyes. That is the goal of confidentiality - protecting data and ensuring only authorized people, computers, or processes can access the data. Confidentiality is sometimes achieved by encrypting data. Data can be encrypted during transmission � when you buy something on-line from a website that uses SSL for example. Data can also be encrypted �at rest� when it�s sitting in a file on your PC or inside a database. Encryption helps protect data by ensuring only those with the proper key to decrypt the data can actually read it. If you encrypted that document with all your accounts and passwords in it, it would look like a bunch of random characters to anyone else who managed to open it or get a copy of it. Only those with the correct decryption key would be able to turn it from a collection of random characters into a readable document.

6. Integrity Data integrity Assurance that the information has not been altered or corrupted in transmission from source to destination, willfully or accidentally, before it is read by its intended recipient. Source integrity Assurance the sender of the information is who it is supposed to be. Source integrity may be compromised when an agent spoofs its identity and supplies incorrect information to a recipient. Digital Signatures and hash algorithms are mechanisms used to provide data integrity Integrity is a very important component of Information Assurance. Integrity ensures the data has not be changed � it is what it was supposed to be. Imagine you�re sending a text message to a friend that says �meet me @ movies @ 8 PM�. You want to make sure your friend receives the text as is � you don�t want someone changing it to read �meet me @ ur house @ 8 PM� and you don�t want it to get garbled so it reads �meet me !#!$!%!asdf112�. In one case the message is intentionally altered and in the other case the message just got garbled in transmission but in both cases the original message gets lost. It�s also often important to be able to verify who sent a particular message � you need to verify the source of the data. If you receive an email from your friend telling you to meet them at the movies at 8 PM, you want to make sure it actually was your friend that sent the message and not someone impersonating your friend. Hash algorithms are methods of taking data and converting it to an alphanumeric code. When sending data you can send the data along with a, alphanumeric code (created by the hash algorithm). The person receiving the data can run the same hash algorithm on the data and compare the code they generate with the one you sent. If those two codes match (the one you sent and the one they generated) then they know the data has not been modified or altered during transmission � it is what you sent and meant for them to receive. Digital signatures are a little different but operate along the same lines. Sometimes we want to make sure we know where the message came from AND make sure the data has not changed. A digital signature is a numeric code that uniquely identifies the sender of the message � ie only Bob can generate this signature so this message had to come from Bob. While only Bob can produce his digital signature, anyone receiving the message can verify it was Bob that sent it.Integrity is a very important component of Information Assurance. Integrity ensures the data has not be changed � it is what it was supposed to be. Imagine you�re sending a text message to a friend that says �meet me @ movies @ 8 PM�. You want to make sure your friend receives the text as is � you don�t want someone changing it to read �meet me @ ur house @ 8 PM� and you don�t want it to get garbled so it reads �meet me !#!$!%!asdf112�. In one case the message is intentionally altered and in the other case the message just got garbled in transmission but in both cases the original message gets lost. It�s also often important to be able to verify who sent a particular message � you need to verify the source of the data. If you receive an email from your friend telling you to meet them at the movies at 8 PM, you want to make sure it actually was your friend that sent the message and not someone impersonating your friend. Hash algorithms are methods of taking data and converting it to an alphanumeric code. When sending data you can send the data along with a, alphanumeric code (created by the hash algorithm). The person receiving the data can run the same hash algorithm on the data and compare the code they generate with the one you sent. If those two codes match (the one you sent and the one they generated) then they know the data has not been modified or altered during transmission � it is what you sent and meant for them to receive. Digital signatures are a little different but operate along the same lines. Sometimes we want to make sure we know where the message came from AND make sure the data has not changed. A digital signature is a numeric code that uniquely identifies the sender of the message � ie only Bob can generate this signature so this message had to come from Bob. While only Bob can produce his digital signature, anyone receiving the message can verify it was Bob that sent it.

7. Availability Timely and reliable access to data services by authorized users It ensures information or resources are available when needed; at a rate which is fast enough for the system to perform its intended task While confidentiality and integrity can be protected, an attacker may cause resources to become less available than required, or not available at all Robust protocols and operating systems, redundant network architectures, and system hardware without any single points of failure help to ensure system reliability and robustness A Denial of Service (DoS) attack is an attack against availability Availability is, quite simply, the concept that data is �available� when it�s needed or requested. When a user needs to access the data, it�s there and is delivered in a timely manner � the user is able to get what they need without significant delays. Attackers will often target the �availability� component to deny access to data, especially when going after web servers. If an attacker can prevent anyone from reaching a website or can succeed in slowing the website down so much it�s basically non-responsive, then the attacker has denied �availability� to that web server. The data on the website is safe � it has not been corrupted or altered, but it�s just not available anymore. A Denial of Service (DoS) attack is an attack against availability. The attacker is trying to �deny service� to anyone wishing to use the target of the attacker. Availability is, quite simply, the concept that data is �available� when it�s needed or requested. When a user needs to access the data, it�s there and is delivered in a timely manner � the user is able to get what they need without significant delays. Attackers will often target the �availability� component to deny access to data, especially when going after web servers. If an attacker can prevent anyone from reaching a website or can succeed in slowing the website down so much it�s basically non-responsive, then the attacker has denied �availability� to that web server. The data on the website is safe � it has not been corrupted or altered, but it�s just not available anymore. A Denial of Service (DoS) attack is an attack against availability. The attacker is trying to �deny service� to anyone wishing to use the target of the attacker.

8. Ethics of IT Security Ten Commandments of Computer Ethics 1. Thou shalt not use a computer to harm other people. 2. Thou shalt not interfere with other people's computer work. 3. Thou shalt not snoop around in other people's computer files. 4. Thou shalt not use a computer to steal. 5. Thou shalt not use a computer to bear false witness. 6. Thou shalt not copy or use proprietary software for which you have not paid. 7. Thou shalt not use other people's computer resources without authorization or proper compensation. 8. Thou shalt not appropriate other people's intellectual output. 9. Thou shalt think about the social consequences of the program you are writing or the system you are designing. 10.Thou shalt always use a computer in ways that insure consideration and respect for your fellow humans.

9. Ethics of IT Security �Be a Good Online Citizen Safer for me, more secure for all: What you do online has the potential to affect everyone � at home, at work and around the world. Practicing good online habits benefits the global digital community. Respect other online citizens: Post only about others as you would have them post about you. Reference and Acknowledgment: Represent authorship and reference others when using their ideas. Help the authorities fight cyber crime: Report stolen finances or identities and other cybercrime to www.ic3.gov (Internet Crime Complaint Center), the Federal Trade Commission at http://www.onguardonline.gov/file-complaint. www.staysafeonline.org/sites/default/files/resource_documents/STC%20tips%20and%20advice_0.pdf www.staysafeonline.org/sites/default/files/resource_documents/STC%20tips%20and%20advice_0.pdf

10. Ethics of IT Security �For more on online safety http://www.staysafeonline.org/ http://www.cybercrime.gov/cyberethics.htm http://www.onguardonline.gov/topics/net-cetera-heads-up-introduction.aspx http://www.getnetwise.org/ �http://xblock.isafe.org/ http://www.ikeepsafe.org/digital-citizenship/ethical-use/

11. True or False Information security describes non-repudiation, availability, and confidentiality of computer systems. An IT Security professional with authorized access is expected to snoop around their coworker�s personal computer files. Confidentiality, integrity, and availability are the fundamental concepts behind information security. If data is not accessible, it is still secure as long as it has not been altered or deleted. It is the responsibility of people who create and use the technology to make sure that it is utilized in a responsible and ethical manner. Validation of sender is not necessary, as long as data is sent over a secure channel.

12. True or False Information security describes non-repudiation, availability, and confidentiality of computer systems. TRUE An IT Security professional with authorized access is expected to snoop around their coworker�s personal computer files. FALSE Confidentiality, integrity, and availability are the fundamental concepts behind information security. TRUE If data is not accessible, it is still secure as long as it has not been altered or deleted. FALSE It is the responsibility of people who create and use the technology to make sure that it is utilized in a responsible and ethical manner. TRUE Validation of sender is not necessary, as long as data is sent over a secure channel. FALSE

13. Summary Provided background on fundamental security concepts creating a framework of how to protect information systems Defined information technology and information security Discussed IT Ethics

14. List of References http://en.wikipedia.org/wiki/CIA_triad http://www.sans.org/reading_room/whitepapers/policyissues/498.php http://www.sharepointsecurity.com/content-130.html http://media.wiley.com/product_data/excerpt/29/07645393/0764539329.pdf http://www.sans.org/reading_room/whitepapers/legal/legal-system-ethics-information-security_54 http://www.staysafeonline.org/sites/default/files/resource_documents/STC%20tips%20and%20advice_0.pdf