Information Systems Security

What is information system? An information system is a software system to capture, transmit,

store, retrieve, manipulate, or display information, thereby supporting people, organizations, or
other software systems.
What is information system security?
Overview: This chapter illustrates several general trends from the 1960s through the decade
following 2000:
 In the early decades of modern information technology (IT), computer crimes were
largely committed by individual disgruntled and dishonest employees.
 Physical damage to computer systems was a prominent threat until the 1980s.
 Criminals often used authorized access to subvert security systems as they modified data
for financial gain or destroyed data for revenge.
 Early attacks on telecommunications systems in the 1960s led to subversion of the long-
distance phone systems for amusement and for theft of services.
 As telecommunications technology spread throughout the IT world, hobbyists with
criminal tendencies learned to penetrate systems and networks.
 Programmers in the 1980s began writing malicious software, including self-replicating
programs, to interfere with personal computers.
 As the Internet increased access to increasing numbers of systems worldwide, criminals
used unauthorized access to poorly protected systems for vandalism, political action, and
financial gain.
 As the 1990s progressed, financial crime using penetration and subversion of computer
systems increased.
 The types of malware shifted during the 1990s, taking advantage of new vulnerabilities
and dying out as operating systems were strengthened, only to succumb to new attack
vectors.
 Illegitimate applications of e-mail grew rapidly from the mid-1990s onward, generating
torrents of unsolicited commercial and fraudulent e-mail.
Of somewhat lesser concern, computers used in financial applications, such as facilitating the
purchase and sales of everything from matchsticks to mansions, and transferring trillions of
dollars each day in electronic funds, are irresistible to miscreants; many of them see these
activities as open invitations to fraud and theft. Computer systems, and their interconnecting
networks, are also prey to vandals, malicious egotists, terrorists, and an array of individuals,
groups, companies, and governments’ intent on using them to further their own ends, with total
disregard for the effects on innocent victims. Besides these intentional attacks on computer
systems, there are innumerable ways in which inadvertent errors can damage or destroy a
computer’s ability to perform its intended functions. Because of these security problems, as well
as a great many others described in this volume, the growth of information systems security has
paralleled that of the computer field itself. Only by a detailed study of the potential problems,
and implementation of the suggested solutions, can computers be expected to fulfill their
promise, with few of the security lapses that plague less adequately protected systems.
Security can be defined as the state of being free from danger and not exposed to damage from
accidents or attack, or it can be defined as the process for achieving that desirable state. The
objective of information system security is to optimize the performance of an organization with
respect to the risks to which it is exposed.
What is Information Security?
• The protection of information and its critical elements, including systems and hardware
that use, store, and transmit that information
• Necessary tools: policy, awareness, training, education, technology
• C.I.A.(confidentiality, integrity, availability) triangle was standard based on
confidentiality, integrity, and availability
• C.I.A. triangle now expanded into list of critical characteristics of information
Risk is defined as the chance of injury, damage, or loss. Thus, risk has two elements: (1) chance
—an element of uncertainty, and (2) loss or damage. Except for the possibility of restitution,
information system security (ISS) actions taken today work to reduce future risk losses. Because
of the uncertainty about future risk losses, perfect security, which implies zero losses, would be
infinitely expensive. For this reason, ISS risk managers strive to optimize the allocation of
resources by minimizing the total cost of ISS measures taken and the risk losses experienced.
This optimization process is commonly referred to as risk management.
Risk management in this sense is a three-part process:
 Identification of material risks,
 Selection and implementation of measures to mitigate the risks, and
 Tracking and evaluating of risk losses experienced, in order to validate the first two parts
of the process
Critical concepts of Information Security
Confidentiality
Confidentiality of information ensures that only those with sufficient privileges may access
certain information. When unauthorized individuals or systems can access information,
confidentiality is breached. To protect the confidentiality of information, a number of measures
are used:

 Information classification

 Secure document storage

 Application of general security policies

 Education of information custodians and end users

Integrity
Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of
information is threatened when it is exposed to corruption, damage, destruction, or other
disruption of its authentic state. Corruption can occur while information is being compiled,
stored, or transmitted.
Availability
Availability is the characteristic of information that enables user access to information without
interference or obstruction and in a required format. A user in this definition may be either a
person or another computer system. Availability does not imply that the information is accessible
to any user; rather, it means availability to authorized users.
Privacy
The information that is collected, used, and stored by an organization is to be used only for the
purposes stated to the data owner at the time it was collected. This definition of privacy does
focus on freedom from observation (the meaning usually associated with the word), but rather
means that information will be used only in ways known to the person providing it.
Identification
An information system possesses the characteristic of identification when it is able to recognize
individual users. Identification and authentication are essential to establishing the level of access
or authorization that an individual is granted.
Authentication
Authentication occurs when a control provides proof that a user possesses the identity that he or
she claims.
Authorization
After the identity of a user is authenticated, a process called authorization provides assurance
that the user (whether a person or a computer) has been specifically and explicitly authorized by
the proper authority to access, update, or delete the contents of an information asset.
Accountability
The characteristic of accountability exists when a control provides assurance that every activity
undertaken can be attributed to a named person or automated process. For example, audit logs
that track user activity on an information system provide accountability.
History of computer security and Information Security
• Began immediately after the first mainframes were developed
• Groups developing code-breaking computations during World War II created the first
modern computers
• Physical controls to limit access to sensitive military locations to authorized personnel
• Rudimentary in defending against physical theft, espionage, and sabotage
The 1960s
• Advanced Research Procurement Agency (ARPA) began to examine feasibility of
redundant networked communications
• Larry Roberts developed ARPANET from its inception
The 1970s and 80s
• ARPANET grew in popularity as did its potential for misuse
• Fundamental problems with ARPANET security were identified
– No safety procedures for dial-up connections to ARPANET
– Non-existent user identification and authorization to system
• Late 1970s: microprocessor expanded computing capabilities and security threats
R-609
• Information security began with Rand Report R-609 (paper that started the study of
computer security)
• Scope of computer security grew from physical security to include:
– Safety of data
 – Limiting unauthorized access to data
– Involvement of personnel from multiple levels of an organization
The 1990s
• Networks of computers became more common; so too did the need to interconnect
networks
• Internet became first manifestation of a global network of networks
• In early Internet deployments, security was treated as a low priority
The Present
• The Internet brings millions of computer networks into communication with each other—
many of them unsecured
• Ability to secure a computer’s data influenced by the security of every computer to which
it is connected
Security/Privacy Vulnerabilities
Types of Vulnerabilities
• Physical vulnerabilities (Ex. Buildings)
• Natural vulnerabilities (Ex. Earthquake)
• Hardware and Software vulnerabilities (Ex. Failures)
• Media vulnerabilities (Ex. Disks can be stolen)
• Communication vulnerabilities (Ex. Wires can be tapped)
• Human vulnerabilities (Ex. Insiders)