Introduction to Information Security - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

Introduction to Information Security

Description:

... and the systems and hardware that use, store, and transmit information ... These cells deal with people, hardware, software, data, and procedures ... – PowerPoint PPT presentation

Number of Views:35
Avg rating:3.0/5.0
Slides: 16
Provided by: Sri672
Category:

less

Transcript and Presenter's Notes

Title: Introduction to Information Security


1
Introduction to Information Security
2
Introduction to Information Security
  • Historical aspects of InfoSec
  • Critical characteristics of information
  • CNSS security model
  • Systems development life cycle for InfoSec
  • Organizational influence on InfoSec

3
Historical Aspects of InfoSec
  • Earliest InfoSec was physical security
  • In early 1960, a systems administrator worked on
    Message of the Day (MOTD) and another person with
    administrative privileges edited the password
    file. The password file got appended to the
    MOTD.
  • In the 1960s, ARPANET was developed to network
    computers in distant locations
  • MULTICS operating systems was developed in
    mid-1960s by MIT, GE, and Bell Labs with security
    as a primary goal

4
Historical Aspects of InfoSec
  • In the 1970s, Federal Information Processing
    Standards (FIPS) examines DES (Data Encryption
    Standard) for information protection
  • DARPA creates a report on vulnerabilities on
    military information systems in 1978
  • In 1979 two papers were published dealing with
    password security and UNIX security in remotely
    shared systems
  • In the 1980s the security focus was concentrated
    on operating systems as they provided remote
    connectivity

5
Historical Aspects of InfoSec
  • In the 1990s, the growth of the Internet and the
    growth of the LANs contributed to new threats to
    information stored in remote systems
  • IEEE, ISO, ITU-T, NIST and other organizations
    started developing many standards for secure
    systems
  • Information security is the protection of
    information and the systems and hardware that
    use, store, and transmit information

6
CNSS Model
  • CNSS stands for Committee on National Security
    Systems (a group belonging to the National
    Security Agency NSA). CNSS has developed a
    National Security Telecommunications and
    Information Systems Security (NSTISSI) standards.
  • NSTISSI standards are 4011, 4012, 4013, 4014,
    4015, 4016. U of L has met the 4011 and 4012
    standards in the InfoSec curriculum.

7
CNSS Security Model
8
CNSS Security Model
  • The model identifies a 3 x 3 x 3 cube with 27
    cells
  • Security applies to each of the 27 cells
  • These cells deal with people, hardware, software,
    data, and procedures
  • A hacker uses a computer (hardware) to attack
    another computer (hardware). Procedures describe
    steps to follow in preventing an attack.
  • An attack could be either direct or indirect
  • In a direct attack one computer attacks another.
    In an indirect attack one computer causes another
    computer to launch an attack.

9
Systems Development Life Cycle for InfoSec
  • SDLC for InfoSec is very similar to SDLC for any
    project
  • The Waterfall model would apply to InfoSec as
    well
  • Investigation phase involves feasibility study
    based on a security program idea for the
    organization
  • Analysis phase involves risk assessment
  • Logical design phase involves continuity
    planning, disaster recovery, and incident response

10
Systems Development Life Cycle for InfoSec
  • Physical design phase involves considering
    alternative options possible to construct the
    idea of the physical design
  • Implementation phase is very similar to the SDLC
    model, namely put into practice the design
  • Maintenance phase involves implementing the
    design, evaluating the functioning of the system,
    and making changes as needed

11
SDLC Waterfall model
12
Organizational influence on InfoSec
  • Security policies must be compatible with
    organizational culture
  • Information security related professionals have
    the mission of protecting the system
  • Information technology professionals who use the
    systems have a different set of values when it
    comes to security
  • The two values must be meshed together by
    appropriate changes to policies and procedures

13
Dr. Ronald Moore, CIO, U of L
14
Mr. Bruce EdwardsInformation Security Officer
15
References
  • CNSS standard www.nstissc.gov/html/library.html
  • P. Salus, Net Insecurity, 1998
    http//www.nluug.nl/events/sane98/aftermath/salus.
    html
  • D. Verton, Staffing costs spur security
    outsourcing, Computerworld 35, 11, March 2001,
    page 20
Write a Comment
User Comments (0)
About PowerShow.com