SlideShare a Scribd company logo

Unit 1&2.pdf

N
Ndheh

The document provides a comprehensive overview of information security, including its history, critical characteristics, and essential components designed to protect information assets. It discusses various security aspects, including physical, personal, and operational security, and highlights the importance of managing vulnerabilities and risks. Additionally, it outlines approaches to information security, emphasizing the need for both top-down and bottom-up strategies in developing effective protection measures.

Education
1 of 22
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
INFORMATION SECURITY Unit I History, What is Information Security?, Critical Characteristics of Information, Components of an Information System, Securing the Components, Balancing Security and Access,
WHAT IS.. Information Risk Threat Opportunity Information security
HISTORY Please refer to the document “Malware_History” added in Team’s Files
• 1960s: Organizations start to protect their computers • 1970s:The first hacker attacks begin • 1980s: Governments become proactive in the fight against cybercrime • 1990s: Organized crime gets involved in hacking • 2000s: Cybercrime becomes treated like a crime • 2010s: Information security becomes serious
VARIOUS ASPECTS OF SECURITY Physical Security - to protect the physical items, objects, or areas of an organization from unauthorized access and misuse. Personal Security – to protect the individual or group of individuals who are authorized to access the organization and its operations. Operations Security – to protect the details of a particular operation or series of activities. Communications Security – to protect an organization’s communications media, technology, and content. Network Security – to protect networking components, connections, and contents. Information Security – to protect information assets
A C I CIA Triad: 1. Confidentiality ensures information is inaccessible to unauthorized people 2. Integrity ensures the data is accurate and trustworthy by preventing unauthorized modification 3. Availability ensures authorized people can access the information when needed Fundamental principles of Information Security
CRITICAL CHARACTERISTICS OF INFORMATION • The value of information comes from the characteristics it possesses: • Availability – available to authorized user on demand • Accuracy – error free to expected standards • Authenticity – original & genuine, not fabrication • Confidentiality – undisclosed to unauthorized people • Integrity – whole, complete, and uncorrupted • Utility – serves the purpose & available in meaningful form • Possession - Information is said to be in possession if one obtains it, independent of format or other characteristic. While a breach of confidentiality always results in a breach of possession,a breach of possession does not always result in a breach of confidentiality.
COMPONENTS OF INFORMATION SYSTEM • Information System (IS) is entire set of software, hardware, data, people and networks necessary to use information as a resource in the organization • Software • Exploitation substantial portion of attacks on information • Hardware • Physical security policies • Securing physical location important • Data • Often most valuable asset • Main target of intentional attacks • People • Weakest link • Must be well trained and informed • Networks • Locks and keys won’t work
COMPONENTS OF INFORMATION SECURITY • Management of Information Security primarily focuses on the managerial aspects of information security, such as • access control models • information security governance • information security program assessment and metrics • Network security consists of the policies and practices adopted to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network- accessible resources. • Computer Security is the protection of computing systems and the data that they store or access. • Computer and Data security refers to protective digital privacy measures that are applied to prevent unauthorized access to computers, databases and websites. Data security also protects data from corruption. Data security is an essential aspect of IT for organizations of every size and type.
Approaches to Information Security The approaches are based on: 1. where planning is sourced and 2. from which direction the pressure for success if driven
APPROACHES TO INFO. SECURITY Bottom Up approach • Grassroots effort: systems administrators attempt to improve security of their systems • Key advantage: technical expertise of individual administrators • Seldom works, as it lacks several critical features: • Participant support • Scalability Top Down approach • Initiated by upper management • Issue policy, procedures and processes • Dictate goals and expected outcomes of project • Determine accountability for each required action • The most successful also involve formal development strategy referred to as systems development life cycle
SECSDLC – FORMAL APPROACH TO INFO. SECURITY
PHASES OF SECSDLC INVESTIGATION • Directive from management • Creation of security policy • Teams: – Analyse problem – Define Scope – Specify Goals – Identify Constraints • Feasibility Analysis • Determine: – Resources – Commitment ANALYSIS Analysis of: • Existing security policies • Known threats • Current controls • Legal issues –privacy laws on personal info Risk Management – Identify, assess & evaluate risks levels – Prioritise risks and manage them Threat: • Threat agent: the cause of danger – object, person or entity • Vulnerability: weakness, exposure, helplessness, defenceless DESIGN • LOGICAL DESIGN Team members: • Create & develop blue print for security • Examine & implement key policies • PHYSICAL DESIGN Team members: • Evaluate technology to support security blue print • Generate alternative solutions • Agree on final design • Also includes developing criteria for determining the definition of successful solution.
PHASES OF SECSDLC DESIGN • Policies provides rules for protection of information assets – Gen/Security program policy – Issue specific security policy – System specific security policy • SETA – Security education – building in-depth education – Security training – develop skills & knowledge – Security awareness – improving awareness • Design of controls – Managerial – Operational – Technical IMPLEMENTATION • Security solutions acquired, implemented and tested • Personnel issues – Training – Education programs • Management of project plan • Staffing InfoSec function – Position & name security function – Understand impact of InfoSec across IT – Integrate InfoSec concepts into personnel management practices • Information Security Professionals – CIO, CISO, Security Manager, Data Owner, Data Custodian, Data users • Professional Certification MAINTENANCE • Maintenance Model • External monitoring • Internal monitoring • Planning & risk assessment • Vulnerability assessment & remediation – penetration testing • Readiness & review - functionality
MAINTENANCE MODEL • Fault Management – id and address faults • Configuration & Change Management – change components & change administration • Accounting Management & Auditing – system monitoring • Performance Management
THREATS TO INFORMATION SECURITY Overview of various threats to the information security. Potential Acts of Human Error or Failure Deliberate Acts of Espionage or Trespass Deliberate Acts of Information Extortion Deliberate Acts of Sabotage or Vandalism Deliberate Acts of Theft Deliberate Software Attacks Forces of Nature Potential Deviations in Quality of Service from Service Providers Technical Hardware Failures or Errors Technical Software Failures or Errors Technological Obsolescence
Unit 1&2.pdf
Unit 1&2.pdf
CLASSIFICATION OF SECURITY VULNERABILITIES Information security threats are through possible contact with the gaps in the protection system, or factors of vulnerability. The main vulnerabilities are caused by the following factors: •Shortcomings of software or hardware •Different characteristics of the structure of automated systems in the information flow •Some operational processes of the system are inadequate •Inaccuracy of information exchange protocols and interface •Difficult operating conditions and conditions in which the information is located. Most often the sources of threats are triggered in order to obtain illegal benefits after damaging information. However, accidental effect of threats due to insufficient protection and mass attack of a threatening factor is also possible. If you eliminate or at least mitigate the impact from vulnerabilities, you can avoid a significant threat meant to damage the storage system. Types of Vulnerabilities Objective Subjective Random
Random vulnerabilities These factors vary depending on unforeseen circumstances and features of the information environment. They are almost impossible to predict in the information space, but you must be prepared to rapidly eliminate them. Engineering and technical investigation or a response attack will help to mitigate the following problems: 1. System failures: •Caused by malfunctions of technical means at different levels of processing and storage of information (including those responsible for system performance and access to it). •Malfunctions and obsolete elements (demagnetization of data carriers, such as diskettes, cables, connection lines and microchips). •Malfunctions of different software that supports all links in the chain of information storage and processing (antiviruses, application and service programs). •Malfunctions of auxiliary equipment of information systems (power transmission failures). 2. Factors weakening information security: •Damage to communications such as water supply, electricity, ventilation and sewerage. •Malfunctions of enclosing devices (fences, walls in buildings, housing of the equipment where information is stored).
Objective vulnerabilities They depend on the technical design of the equipment which is installed on the object requiring protection, as well as its characteristics. It is impossible to escape all these factors, but their partial elimination can be achieved through engineering techniques in the following cases: 1. Related to emission technical means: •Electromagnetic techniques (side emission and signals from cable lines, elements of technical means). •Sound versions (acoustic or with vibration signals). •Electrical (slip of signals into the circuits of electrical network, through the induction into the lines and conductors, because of uneven current distribution). 2. Activated: •Malware, illegal programs, technological exits from programs which are together called ‘implant tools’. •Hardware implants: introduced directly into telephone lines, electrical networks or premises. 3. Due to the characteristics of a protected object: •Object location (visibility and absence of a controlled zone around the information object, presence of vibration or sound reflecting elements around the object, presence of remote elements of the object). •Arrangement of information exchange channels (use of radio channels, lease of frequencies or use of shared networks). 4. Those that depend on the characteristics of carriers: •Parts with electro-acoustic modifications (transformers, telephone devices, microphones and loudspeakers, inductors). •Elements under the influence of electromagnetic field (carriers, microcircuits and other elements).
Subjective vulnerabilities In most cases, the vulnerabilities of this subtype result from inadequate employee actions at the level of storage and protection system development. Eliminating such factors is possible using hardware and software: 1. Inaccuracies and gross errors that violate information security: •At the stage of loading the ready software or preliminary algorithm development, as well as during its use (possibly, during daily use or during data entry). •When managing programs and information systems (difficulties in the training to work with the system, individual set up of services, manipulation of information flows). •During the use of technical equipment (during switch-on or switch-off, the use of devices for transmitting or receiving information). 2. System malfunctions in the information environment: •The mode of protection of personal data (the problem may be caused by laid-off employees or current employees during off-hours when they get unauthorized access to the system). •Safety and security mode (when accessing facilities or technical devices). •While working with devices (inefficient energy use or improper equipment maintenance). •While working with data (change of information, its saving, search and destruction of data, elimination of defects and inaccuracies).

More Related Content

PPT
Security Design Principles.ppt
DrBasemMohamedElomda
 
PPTX
IT Security DOs and DON'Ts
Sophos
 
PDF
Information Technology policy
marindi
 
PPTX
IT Policy
SensewareInfomedia
 
PPTX
Sql Injection
Aju Thomas
 
PDF
Computer viruses
Alfred George
 
PPTX
Information security governance
Koen Maris
 
PDF
CISSP INFORGRAPH MINDMAP
Deepak Kumar (D3)
 
Security Design Principles.ppt
DrBasemMohamedElomda
 
IT Security DOs and DON'Ts
Sophos
 
Information Technology policy
marindi
 
IT Policy
SensewareInfomedia
 
Sql Injection
Aju Thomas
 
Computer viruses
Alfred George
 
Information security governance
Koen Maris
 
CISSP INFORGRAPH MINDMAP
Deepak Kumar (D3)
 

What's hot (20)

PPTX
Design patterns : résumé
Boubker ABERWAG
 
PPTX
Password craking techniques
أحلام انصارى
 
PDF
How To Present Cyber Security To Senior Management Complete Deck
SlideTeam
 
PPTX
What is network detection and response?
Vehere
 
PPT
It Policies
James Sutter
 
PPTX
Botnets
Kavisha Miyan
 
PPTX
SQL Injections - A Powerpoint Presentation
Rapid Purple
 
PPTX
Computer virus
Kaushik Vemani Venkata
 
PDF
Cours Génie Logiciel 2016
Erradi Mohamed
 
PPTX
Introduction to ethical hacking
Vikram Khanna
 
PPTX
Smartphone security
Manish Gupta
 
PPTX
Code injection
Gayatri Patel
 
DOCX
373512722-Employee-Leave-Management-System.docx
santhoshyadav23
 
PPTX
Cyber Security in Society
Rubal Sagwal
 
PPT
Information System Security(lecture 1)
Ali Habeeb
 
PPTX
Network security
Madhumithah Ilango
 
PPTX
Mobile Forensics
abdullah roomi
 
PPTX
3 Level Architecture
Adeel Rasheed
 
PDF
Manual visual-basic-6-0
cristianconchetumare
 
PDF
Machine Learning Based Botnet Detection
butest
 
Design patterns : résumé
Boubker ABERWAG
 
Password craking techniques
أحلام انصارى
 
How To Present Cyber Security To Senior Management Complete Deck
SlideTeam
 
What is network detection and response?
Vehere
 
It Policies
James Sutter
 
Botnets
Kavisha Miyan
 
SQL Injections - A Powerpoint Presentation
Rapid Purple
 
Computer virus
Kaushik Vemani Venkata
 
Cours Génie Logiciel 2016
Erradi Mohamed
 
Introduction to ethical hacking
Vikram Khanna
 
Smartphone security
Manish Gupta
 
Code injection
Gayatri Patel
 
373512722-Employee-Leave-Management-System.docx
santhoshyadav23
 
Cyber Security in Society
Rubal Sagwal
 
Information System Security(lecture 1)
Ali Habeeb
 
Network security
Madhumithah Ilango
 
Mobile Forensics
abdullah roomi
 
3 Level Architecture
Adeel Rasheed
 
Manual visual-basic-6-0
cristianconchetumare
 
Machine Learning Based Botnet Detection
butest
 
Ad

Similar to Unit 1&2.pdf (20)

PDF
Introduction to Cybersecurity.pdf
ssuserf98dd4
 
PPT
chapter 1. Introduction to Information Security
elmuhammadmuhammad
 
PPTX
Information security Chap 1 whitman.pptx
sania82678
 
PDF
information security introduction for campus students.pdf
hailegebrielgeta6
 
PPT
Introduction to information security
Kumawat Dharmpal
 
PPT
01Introduction to Information Security.ppt
it160320737038
 
PPTX
IS Chap 1 by whitman chapter 1 pptx.pptx
sania82678
 
PDF
IS&C-Lecture-1.pdffgf fdgdgdfgdg fdgdg gdgg
angeldamson
 
PPTX
Data Information and Security Unit-1.pptx
sbrainyajay
 
PPTX
Cloud Security.pptx
Binod Rimal
 
PPTX
Cyber-Security-Unit-1.pptx
TikdiPatel
 
PPTX
SECURITY AND CONTROL
shinydey
 
PPTX
Week 1 - Introduction to CyberSecurity.pptx
juancx3
 
PPT
Introduction to information security - by Ivan Nganda
See You Rise Holdings
 
ODP
Network Security Topic 1 intro
Khawar Nehal khawar.nehal@atrc.net.pk
 
PPTX
ISM-CS5750-01.pptx
RashidSahito1
 
PPTX
Cybersecurity; Definition, Use, and Practice
MontasserMahmoud2
 
PDF
Cervone uof t - nist framework (1)
Stephen Abram
 
PPT
002.itsecurity bcp v1
Mohammad Ashfaqur Rahman
 
PPT
its a computer security based ppt which is very useful
SantoshChintawar
 
Introduction to Cybersecurity.pdf
ssuserf98dd4
 
chapter 1. Introduction to Information Security
elmuhammadmuhammad
 
Information security Chap 1 whitman.pptx
sania82678
 
information security introduction for campus students.pdf
hailegebrielgeta6
 
Introduction to information security
Kumawat Dharmpal
 
01Introduction to Information Security.ppt
it160320737038
 
IS Chap 1 by whitman chapter 1 pptx.pptx
sania82678
 
IS&C-Lecture-1.pdffgf fdgdgdfgdg fdgdg gdgg
angeldamson
 
Data Information and Security Unit-1.pptx
sbrainyajay
 
Cloud Security.pptx
Binod Rimal
 
Cyber-Security-Unit-1.pptx
TikdiPatel
 
SECURITY AND CONTROL
shinydey
 
Week 1 - Introduction to CyberSecurity.pptx
juancx3
 
Introduction to information security - by Ivan Nganda
See You Rise Holdings
 
Network Security Topic 1 intro
Khawar Nehal khawar.nehal@atrc.net.pk
 
ISM-CS5750-01.pptx
RashidSahito1
 
Cybersecurity; Definition, Use, and Practice
MontasserMahmoud2
 
Cervone uof t - nist framework (1)
Stephen Abram
 
002.itsecurity bcp v1
Mohammad Ashfaqur Rahman
 
its a computer security based ppt which is very useful
SantoshChintawar
 
Ad

Recently uploaded (20)

PDF
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
PPTX
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PPTX
Pharma ospi slides which help in ospi learning
rameetkumar304
 
PDF
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
PPTX
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
PDF
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
PPTX
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
PDF
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
PDF
Business Ethics Teaching Materials for college
CynthiaCastillo40
 
PDF
Basic Mud Logging Guide for educational purpose
wdandworks
 
PPTX
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
PDF
Open folder Downloads.pdf yes yes ges yes
JaybeeMacadangdang
 
PPTX
Introduction to Child Health Nursing – Unit I | Child Health Nursing I | B.Sc...
RAKESH SAJJAN
 
PPTX
COMPUTERS AS DATA ANALYSIS IN PRECLINICAL DEVELOPMENT.pptx
NIKITA BHUTE
 
PDF
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
PDF
Origin of periodic table-Mendeleev’s Periodic-Modern Periodic table
Mithil Fal Desai
 
PDF
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
Pharma ospi slides which help in ospi learning
rameetkumar304
 
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
Business Ethics Teaching Materials for college
CynthiaCastillo40
 
Basic Mud Logging Guide for educational purpose
wdandworks
 
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
Open folder Downloads.pdf yes yes ges yes
JaybeeMacadangdang
 
Introduction to Child Health Nursing – Unit I | Child Health Nursing I | B.Sc...
RAKESH SAJJAN
 
COMPUTERS AS DATA ANALYSIS IN PRECLINICAL DEVELOPMENT.pptx
NIKITA BHUTE
 
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
Origin of periodic table-Mendeleev’s Periodic-Modern Periodic table
Mithil Fal Desai
 
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 

Unit 1&2.pdf

  • 1. INFORMATION SECURITY Unit I History, What is Information Security?, Critical Characteristics of Information, Components of an Information System, Securing the Components, Balancing Security and Access,
  • 3. HISTORY Please refer to the document “Malware_History” added in Team’s Files
  • 4. • 1960s: Organizations start to protect their computers • 1970s:The first hacker attacks begin • 1980s: Governments become proactive in the fight against cybercrime • 1990s: Organized crime gets involved in hacking • 2000s: Cybercrime becomes treated like a crime • 2010s: Information security becomes serious
  • 5. VARIOUS ASPECTS OF SECURITY Physical Security - to protect the physical items, objects, or areas of an organization from unauthorized access and misuse. Personal Security – to protect the individual or group of individuals who are authorized to access the organization and its operations. Operations Security – to protect the details of a particular operation or series of activities. Communications Security – to protect an organization’s communications media, technology, and content. Network Security – to protect networking components, connections, and contents. Information Security – to protect information assets
  • 6. A C I CIA Triad: 1. Confidentiality ensures information is inaccessible to unauthorized people 2. Integrity ensures the data is accurate and trustworthy by preventing unauthorized modification 3. Availability ensures authorized people can access the information when needed Fundamental principles of Information Security
  • 7. CRITICAL CHARACTERISTICS OF INFORMATION • The value of information comes from the characteristics it possesses: • Availability – available to authorized user on demand • Accuracy – error free to expected standards • Authenticity – original & genuine, not fabrication • Confidentiality – undisclosed to unauthorized people • Integrity – whole, complete, and uncorrupted • Utility – serves the purpose & available in meaningful form • Possession - Information is said to be in possession if one obtains it, independent of format or other characteristic. While a breach of confidentiality always results in a breach of possession,a breach of possession does not always result in a breach of confidentiality.
  • 8. COMPONENTS OF INFORMATION SYSTEM • Information System (IS) is entire set of software, hardware, data, people and networks necessary to use information as a resource in the organization • Software • Exploitation substantial portion of attacks on information • Hardware • Physical security policies • Securing physical location important • Data • Often most valuable asset • Main target of intentional attacks • People • Weakest link • Must be well trained and informed • Networks • Locks and keys won’t work
  • 9. COMPONENTS OF INFORMATION SECURITY • Management of Information Security primarily focuses on the managerial aspects of information security, such as • access control models • information security governance • information security program assessment and metrics • Network security consists of the policies and practices adopted to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network- accessible resources. • Computer Security is the protection of computing systems and the data that they store or access. • Computer and Data security refers to protective digital privacy measures that are applied to prevent unauthorized access to computers, databases and websites. Data security also protects data from corruption. Data security is an essential aspect of IT for organizations of every size and type.
  • 10. Approaches to Information Security The approaches are based on: 1. where planning is sourced and 2. from which direction the pressure for success if driven
  • 11. APPROACHES TO INFO. SECURITY Bottom Up approach • Grassroots effort: systems administrators attempt to improve security of their systems • Key advantage: technical expertise of individual administrators • Seldom works, as it lacks several critical features: • Participant support • Scalability Top Down approach • Initiated by upper management • Issue policy, procedures and processes • Dictate goals and expected outcomes of project • Determine accountability for each required action • The most successful also involve formal development strategy referred to as systems development life cycle
  • 12. SECSDLC – FORMAL APPROACH TO INFO. SECURITY
  • 13. PHASES OF SECSDLC INVESTIGATION • Directive from management • Creation of security policy • Teams: – Analyse problem – Define Scope – Specify Goals – Identify Constraints • Feasibility Analysis • Determine: – Resources – Commitment ANALYSIS Analysis of: • Existing security policies • Known threats • Current controls • Legal issues –privacy laws on personal info Risk Management – Identify, assess & evaluate risks levels – Prioritise risks and manage them Threat: • Threat agent: the cause of danger – object, person or entity • Vulnerability: weakness, exposure, helplessness, defenceless DESIGN • LOGICAL DESIGN Team members: • Create & develop blue print for security • Examine & implement key policies • PHYSICAL DESIGN Team members: • Evaluate technology to support security blue print • Generate alternative solutions • Agree on final design • Also includes developing criteria for determining the definition of successful solution.
  • 14. PHASES OF SECSDLC DESIGN • Policies provides rules for protection of information assets – Gen/Security program policy – Issue specific security policy – System specific security policy • SETA – Security education – building in-depth education – Security training – develop skills & knowledge – Security awareness – improving awareness • Design of controls – Managerial – Operational – Technical IMPLEMENTATION • Security solutions acquired, implemented and tested • Personnel issues – Training – Education programs • Management of project plan • Staffing InfoSec function – Position & name security function – Understand impact of InfoSec across IT – Integrate InfoSec concepts into personnel management practices • Information Security Professionals – CIO, CISO, Security Manager, Data Owner, Data Custodian, Data users • Professional Certification MAINTENANCE • Maintenance Model • External monitoring • Internal monitoring • Planning & risk assessment • Vulnerability assessment & remediation – penetration testing • Readiness & review - functionality
  • 15. MAINTENANCE MODEL • Fault Management – id and address faults • Configuration & Change Management – change components & change administration • Accounting Management & Auditing – system monitoring • Performance Management
  • 16. THREATS TO INFORMATION SECURITY Overview of various threats to the information security. Potential Acts of Human Error or Failure Deliberate Acts of Espionage or Trespass Deliberate Acts of Information Extortion Deliberate Acts of Sabotage or Vandalism Deliberate Acts of Theft Deliberate Software Attacks Forces of Nature Potential Deviations in Quality of Service from Service Providers Technical Hardware Failures or Errors Technical Software Failures or Errors Technological Obsolescence
  • 19. CLASSIFICATION OF SECURITY VULNERABILITIES Information security threats are through possible contact with the gaps in the protection system, or factors of vulnerability. The main vulnerabilities are caused by the following factors: •Shortcomings of software or hardware •Different characteristics of the structure of automated systems in the information flow •Some operational processes of the system are inadequate •Inaccuracy of information exchange protocols and interface •Difficult operating conditions and conditions in which the information is located. Most often the sources of threats are triggered in order to obtain illegal benefits after damaging information. However, accidental effect of threats due to insufficient protection and mass attack of a threatening factor is also possible. If you eliminate or at least mitigate the impact from vulnerabilities, you can avoid a significant threat meant to damage the storage system. Types of Vulnerabilities Objective Subjective Random
  • 20. Random vulnerabilities These factors vary depending on unforeseen circumstances and features of the information environment. They are almost impossible to predict in the information space, but you must be prepared to rapidly eliminate them. Engineering and technical investigation or a response attack will help to mitigate the following problems: 1. System failures: •Caused by malfunctions of technical means at different levels of processing and storage of information (including those responsible for system performance and access to it). •Malfunctions and obsolete elements (demagnetization of data carriers, such as diskettes, cables, connection lines and microchips). •Malfunctions of different software that supports all links in the chain of information storage and processing (antiviruses, application and service programs). •Malfunctions of auxiliary equipment of information systems (power transmission failures). 2. Factors weakening information security: •Damage to communications such as water supply, electricity, ventilation and sewerage. •Malfunctions of enclosing devices (fences, walls in buildings, housing of the equipment where information is stored).
  • 21. Objective vulnerabilities They depend on the technical design of the equipment which is installed on the object requiring protection, as well as its characteristics. It is impossible to escape all these factors, but their partial elimination can be achieved through engineering techniques in the following cases: 1. Related to emission technical means: •Electromagnetic techniques (side emission and signals from cable lines, elements of technical means). •Sound versions (acoustic or with vibration signals). •Electrical (slip of signals into the circuits of electrical network, through the induction into the lines and conductors, because of uneven current distribution). 2. Activated: •Malware, illegal programs, technological exits from programs which are together called ‘implant tools’. •Hardware implants: introduced directly into telephone lines, electrical networks or premises. 3. Due to the characteristics of a protected object: •Object location (visibility and absence of a controlled zone around the information object, presence of vibration or sound reflecting elements around the object, presence of remote elements of the object). •Arrangement of information exchange channels (use of radio channels, lease of frequencies or use of shared networks). 4. Those that depend on the characteristics of carriers: •Parts with electro-acoustic modifications (transformers, telephone devices, microphones and loudspeakers, inductors). •Elements under the influence of electromagnetic field (carriers, microcircuits and other elements).
  • 22. Subjective vulnerabilities In most cases, the vulnerabilities of this subtype result from inadequate employee actions at the level of storage and protection system development. Eliminating such factors is possible using hardware and software: 1. Inaccuracies and gross errors that violate information security: •At the stage of loading the ready software or preliminary algorithm development, as well as during its use (possibly, during daily use or during data entry). •When managing programs and information systems (difficulties in the training to work with the system, individual set up of services, manipulation of information flows). •During the use of technical equipment (during switch-on or switch-off, the use of devices for transmitting or receiving information). 2. System malfunctions in the information environment: •The mode of protection of personal data (the problem may be caused by laid-off employees or current employees during off-hours when they get unauthorized access to the system). •Safety and security mode (when accessing facilities or technical devices). •While working with devices (inefficient energy use or improper equipment maintenance). •While working with data (change of information, its saving, search and destruction of data, elimination of defects and inaccuracies).