1.

Key Information Security Concepts

Access
A subject or object’s ability to use, manipulate, modify, or affect another subject
or object. Authorized users have legal access to a system, whereas hackers must
gain illegal access to a system. Access controls regulate this ability.
 Asset
The organizational resource that is being protected. An asset can be logical, such
as a Web site, software information, or data; or an asset can be physical, such as a
person, computer system, hardware, or other tangible object. Assets, particularly
information assets, are the focus of what security efforts are attempting to protect.

Attack
An intentional or unintentional act that can damage or otherwise compromise
information and the systems that support it. Attacks can be active or passive,
intentional or unintentional, and direct or indirect. Someone who casually reads
sensitive information not intended for his or her use is committing a passive attack.
A hacker attempting to break into an information system is an intentional attack.
Control, safeguard, or countermeasure Security mechanisms, policies, or
procedures that can successfully counter attacks, reduce risk, resolve
vulnerabilities, and otherwise improve security within an organization

Exploit
A technique used to compromise a system. This term can be a verb or a noun.
Threat agents may attempt to exploit a system or other information asset by using
it illegally for their personal gain. Or, an exploit can be a documented process to
take advantage of a vulnerability or exposure, usually in software, that is either
inherent in the software or created by the attacker. Exploits make use of existing
software tools or custom-made software components.

Exposure
A condition or state of being exposed; in information security, exposure
exists when a vulnerability is known to an attacker.

Loss
A single instance of an information asset suffering damage or destruction,
unintended or unauthorized modification or disclosure, or denial of use. When an
organization’s information is stolen, it has suffered a loss.

Protection profile or security posture

The entire set of controls and safeguards, including policy, education, training and
awareness, and technology, that the organization implements to protect the asset.

Risk
The probability of an unwanted occurrence, such as an adverse event or loss.
Organizations must minimize risk to match their risk appetite—the quantity and
nature of risk they are willing to accept.
Subjects and objects
A computer can be either the subject of an attack—an agent entity used to conduct
the attack—or the object of an attack: the target entity A computer can also be both
the subject and object of an attack. For example, it can be compromised by an
attack (object) and then used to attack other systems (subject).

Threat A category of objects, people, or other entities that represents a danger to an

asset. Threats are always present and can be purposeful or undirected. For
example, hackers purposefully threaten unprotected information systems, while
severe storms incidentally threaten buildings and their contents.

Threat agent

The specific instance or a component of a threat. For example, the threat of

“trespass or espionage” is a category of potential danger to information assets,
while “external professional hacker” (like Kevin Mitnick, who was convicted of
hacking into phone systems) is a specific threat agent.

Vulnerability
A weakness or fault in a system or protection mechanism that opens it to attack or
damage. Some examples of vulnerabilities are a flaw in a software package, an
unprotected system port, and an unlocked door.

2. Critical Characteristics of Information

The value of information comes from the characteristics it possesses. When a

characteristic of information changes, the value of that information either increases
or, more commonly, decreases. Some characteristics affect information’s value to
users more than others, depending on circumstances. Each critical characteristic of
information—that is, the expanded C.I.A. triangle—is defined in the following
sections.
Availability
Availability enables authorized users—people or computer systems—to access
information without interference or obstruction and to receive it in the required
format. Consider, for example, research libraries that require identification before
entrance. Librarians protect the contents of the library so that they are available
only to authorized patrons. The librarian must accept a patron’s identification
before the patron has free access to the book stacks. Once authorized patrons have
access to the stacks, they expect to find the information they need in a usable
format and familiar language. In this case, the information is bound in a book that
is written in English

Accuracy
Information has accuracy when it is free from mistakes or errors and has the
value that the end user expects. If information has been intentionally or
unintentionally modified, it is no longer accurate. If a bank teller, for instance,
mistakenly adds or subtracts too much money from your account, the value ofthe
information is changed. Or, you may accidentally enter an incorrect amount into
your account register. Either way, an inaccurate bank balance could cause you to
make other mistakes, such as bouncing a check.

Authenticity
Authenticity of information is the quality or state of being genuine or original,
rather than a reproduction or fabrication. Information is authentic when it is in the
same state in which it was created, placed, stored, or transferred. E-mail spoofing,
the act of sending an e-mail message with a modified field, is a problem for many
people today because the modified field often is the address of the originator.
Spoofing the sender’s address can fool e-mail recipients into thinking that the
messages are legitimate traffic, thus inducing them to open e-mail they otherwise
might not have.

Confidentiality
Information has confidentiality when it is protected from disclosure or exposure to
unauthorized individuals or systems. Confidentiality ensures that only users with
the rights and privileges to access information are able to do so. When nauthorized
individuals or systems can view information, confidentiality is breached. To
protect the confidentiality of information, you can use several measures, including
the following:
● Information classification
● Secure document storage
● Application of general security policies
● Education of information custodians and end users

Integrity

Information has integrity when it is whole, complete, and uncorrupted. The

integrity of information is threatened when it is exposed to corruption, damage,
destruction, or other disruption of its authentic state. Corruption can occur while
information is being stored or transmitted. Many computer viruses and worms are
designed with the explicit purpose of corrupting data. For this reason, a key
method for detecting a virus or worm is to look for changes in file integrity, as
shown by the file size. Another key method of assuring information integrity is file
hashing, in which a file is read by a special algorithm that uses the bit values in the
file to compute a single large number called a hash value. The hash value for any
combination of bits is unique.

Utility
The utility of information is the quality or state of having value for some purpose
or end. In other words, information has value when it can serve a purpose. If
information is available but is not in a meaningful format to the end user, it is not
useful.
Possession

The possession of information is the quality or state of ownership or control.

Information is said to be in one’s possession if one obtains it, independent of
format or other characteristics. While a breach of confidentiality always results in a
breach of possession, a breach of possession does not always lead to a breach of
confidentiality. For example, assume a company stores its critical customer data
using an encrypted file system. An employee who has quit decides to take a copy
of the tape backups and sell the customer records to the competition. The removal
of the tapes from their secure environment is a breach of possession. But, because
the data is encrypted, neither the former employee nor anyone else can read it
without the proper decryption methods; therefore, there is no breach of
confidentiality.

4. The McCumber Cube

5. Components of an Information System

an information system (IS) is much more than computer hardware; it is the entire
set of people, procedures, and technology that enable business to use information.
The six critical components of hardware, software, networks, people, procedures,
and data enable information to be input, processed, output, and stored. Each of
these IS components has its own strengths and weaknesses, as well as its own
characteristics and uses. Each component of the information system also has its
own security requirements.
Software

The software component of an IS includes applications, operating systems, and

assorted command utilities. Software is perhaps the most difficult IS component to
secure. The exploitation of errors in software programming accounts for a
substantial portion of the attacks on information. The information technology
industry is rife with reports warning of holes, bugs, weaknesses, or other
fundamental problems in software. In fact, many facets of daily life are affected by
buggy software, from smartphones that crash to flawed automotive control
computers that lead to recalls.

Hardware

Hardware is the physical technology that houses and executes the software, stores
and transports the data, and provides interfaces for the entry and removal of
information from the system. Physical security policies deal with hardware as a
physical asset and with the protection of physical assets from harm or theft.
Applying the traditional tools of physical security, such as locks and keys, restricts
access to and interaction with the hardware components of an information system.
Securing the physical location of computers and the computers themselves
is important because a breach of physical security can result in a loss of
information. Unfortunately, most information systems are built on hardware
platforms that cannot guarantee any level of information security if unrestricted
hardware access is possible.

Data

Data stored, processed, and transmitted by a computer system must be protected.

Data is often the most valuable asset of an organization and therefore is the main
target of intentional attacks. Systems developed in recent years are likely to make
use of database management systems. When used properly, they should improve
the security of the data and the applications that rely on the data. Unfortunately,
many system development projects do not make full use of the database
management system’s security capabilities, and in some cases the database is
implemented in ways that make them less secure than traditional file systems.

People
Though often overlooked in computer security considerations, people have always
been a threat to information security. Unless policy, education and training,
awareness, and technology are properly employed to prevent people from
accidentally or intentionally damaging or losing information, they will remain the
weakest link. Social engineering can prey on the tendency to cut corners and the
commonplace nature of human error. It can be used to manipulate people to obtain
access information about a system.

Procedures

Procedures are another frequently overlooked component of an IS. Procedures are

written instructions for accomplishing a specific task. When an unauthorized user
obtains an organization’s procedures, it poses a threat to the integrity of the
information. Most organizations distribute procedures to employees so they can
access the information system, but many of these companies often fail to provide
proper education for using the procedures safely. Educating employees about
safeguarding procedures is as important as physically securing the information
system. After all, procedures are information in their own right. Therefore,
knowledge of procedures, as with all critical information, should be disseminated
among members of an organization on a need-to-know basis.

Networks

Networking is the IS component that created much of the need for increased
computer and information security. When information systems are connected to
each other to form local area networks (LANs), and these LANs are connected to
other networks such as the Internet, new security challenges rapidly emerge. Steps
to provide network security are essential, as is implementing alarm and intrusion
systems to make system owners aware of ongoing compromises.

6. The Security Systems Development Life Cycle

The same phases used in the traditional SDLC can be adapted to support the
implementation of an information security project. While the two processes may
differ in intent and specific activities, the overall methodology is the same. At its
heart, implementing information security involves identifying specific threats and
creating specific controls to counter them. The SecSDLC unifies this process and
makes it a coherent program rather than a series of random, seemingly
unconnected actions.

Investigation

The investigation phase of the SecSDLC begins with a directive from upper
management that dictates the process, outcomes, and goals of the project, as well
as its budget and other constraints. FrequentlyTeams of responsible managers,
employees, and contractors are organized; problems are analyzed; and the scope of
the project is defined along with specific goals and objectives and any additional
constraints not covered in the program policy. Finally, an organizational feasibility
analysis is performed to determine whether the organization has the resources and
commitment necessary to conduct a successful security analysis and design.

Analysis

In the analysis phase, the documents from the investigation phase are studied.
The development team conducts a preliminary analysis of existing security policies
or programs, documented current threats, and associated controls. This phase also
includes an analysis of relevant legal issues that could affect the design of the
security solution. Increasingly, privacy laws have become a major consideration
when making decisions about information systems that manage personal
information. Risk management focuses on identifying, assessing, and evaluating
the levels of risk in an organization, specifically the threats to its security and to
the information it stores and processes.

Logical Design

The logical design phase creates and develops the blueprints for information
security, and examines and implements key policies that influence later decisions.
At this stage, the team also plans incident response actions to be taken in the event
of partial or catastrophic loss. The planning answers the following questions:
● Continuity planning: How will business continue in the event of a loss?
● Incident response: What steps are taken when an attack occurs?
● Disaster recovery: What must be done to recover information and vital systems
immediately after a disastrous event?
Next, a feasibility analysis determines whether the project should be continued or
outsourced.
Physical Design
The physical design phase evaluates the information security technology
needed to support the blueprint as it has been outlined in the logical design. The
final physical design is usually chosen from several competing alternatives, each of
which could meet thelogical design requirements. The information security
blueprint may be revisited from time to time to keep it in line with changes needed
when the physical design is completed. Criteria for determining the definition of
successful solutions are also prepared during this phase. This phase includes
designs for physical security measures to support the proposed technological
solutions. At the end of this phase, a feasibility study determines the organization’s
readiness for the proposed project, and then the champion and sponsors are
presented with the design. All parties involved have a chance to approve the
project before implementation begins.

Implementation

The implementation phase of the SecSDLC is similar to that of the traditional

SDLC. The security solutions are acquired (made or bought), tested, implemented,
and tested again. Personnel issues are evaluated, and specific training and
education programs are conducted. Finally, the entire tested package is presented
to upper management for final approval.

Maintenance and Change

Maintenance and change is the last phase, and perhaps the most important one,
given the ever-changing threat environment. Today’s information security
systems need constant monitoring, testing, modification, updating, and repairing
As new threats emerge and old threats evolve, an organization’s information
security profile must constantly adapt to prevent threats from successfully
penetrating sensitive data. This constant vigilance and security can be compared to
that of a fortress, where threats both from outside and within must be constantly
monitored and checked with continuously new and more innovative technologies

7. The NIST Approach to Securing the SDLC

Each phase of the SDLC should include consideration for the security of the
system being assembled as well as the information it uses. NIST provides an
overview of the security considerations for each phase of the SDLC.
To be most effective, information security must be integrated into the SDLC
from system inception. Early integration of security in the SDLC enables agencies
to maximize return on investment in their security programs, through:
● Early identification and mitigation of security vulnerabilities and
misconfigurations, resulting in lower cost of security control implementation and
vulnerability mitigation;
● Awareness of potential engineering challenges caused by mandatory security
controls;
● Identification of shared security services and reuse of security strategies and
tools to reduce development cost and schedule while improving security
posture through proven methods and techniques; and
● Facilitation of informed executive decision making through comprehensive
risk management in a timely manner. […]

Initiation

During this first phase of the development life cycle, security considerations are
key to diligent and early integration, thereby ensuring that threats, requirements,
and potential constraints in functionality and integration are considered. At this
point, security is looked at more in terms of business risks with input from the
information security office.

Key security activities for this phase include:

● Initial delineation of business requirements in terms of confidentiality,
integrity, and availability;
● Determination of information categorization and identification of known
special handling requirements to transmit, store, or create information such
as personally identifiable information; and
● Determination of any privacy requirements.

Development/Acquisition

This section addresses security considerations unique to the second SDLC phase.
Key security activities for this phase include:
● Conduct the risk assessment and use the results to supplement the baseline
security controls;
● Analyze security requirements;

• Perform functional and security testing;

● Prepare initial documents for system certification and accreditation; and

● Design security architecture.
Implementation/Assessment

Implementation/Assessment is the third phase of the SDLC. During this phase,

the system will be installed and evaluated in the organization’s operational
environment.
Key security activities for this phase include:
● Integrate the information system into its environment;
● Plan and conduct system certification activities in synchronization with
testing of security controls; and
● Complete system accreditation activities. […]

Operations and Maintenance

Operations and Maintenance is the fourth phase of the SDLC. In this phase,
systems
are in place and operating, enhancements and/or modifications to the system
are developed and tested, and hardware and/or software is added or
replaced.

Key security activities for this phase include:

● Conduct an operational readiness review;
● Manage the configuration of the system;
● Institute processes and procedures for assured operations and continuous
monitoring of the information system’s security controls; and
● Perform reauthorization as required. […]

Disposal

Disposal, the final phase in the SDLC, provides for disposal of a system and
closeout of any contracts in place. Information security issues associated with
information and system disposal should be addressed explicitly.

Key security activities for this phase include:

● Building and executing a disposal/transition plan;
● Archival of critical information;
● Sanitization of media; and
● Disposal of hardware and software