1. Information Security Principles and Practices
by Mark Merkow and Jim Breithaupt
Chapter 1: Why Study Information Security?

2. © Pearson Education Information Security: Principles and Practices
Chapter 1
Chapter 1: Why Study Information Security?
© Pearson Education Information Security: Principles and Practices

3. © Pearson Education Information Security: Principles and Practices
Objectives
Recognize the growing importance of information security specialists
Develop a strategy in the career in information security
Comprehend information security in the context of the mission of a business
© Pearson Education Information Security: Principles and Practices

4. © Pearson Education Information Security: Principles and Practices
Introduction
To protect computers, networks, and the information they store, organizations are increasingly turning to information security specialists
An information security specialist is more than a technician who prevents hackers from attacking a Web site
© Pearson Education Information Security: Principles and Practices

5. © Pearson Education Information Security: Principles and Practices
Introduction cont.
We begin by trying to answer the first question most students starting out in the field ask: Why study information security?
In this book, we’ll examine both practical and theoretical skills security specialists use to protect information systems
© Pearson Education Information Security: Principles and Practices

6. Growing IT Security Importance and New Career Opportunities
Increased services to both end-users and employees create worlds of possibilities in satisfying customer needs, but …
they also create risks to the confidentiality, integrity, and availability of confidential or sensitive data
© Pearson Education Information Security: Principles and Practices

7. Increasing Demand by Government and Private Industry
Higher demand for expertly trained individuals
U.S. Statistics
The security of computer networks will continue to increase in importance as more business is conducted over the Internet
Source:
Computer world expects security pay to continue to out perform the market
Source:
© Pearson Education Information Security: Principles and Practices

8. Becoming an Information Security Specialist
Get the right certification
Certified Information Systems Security Professional (CISSP)
Global Information Assurance Certification (GIAC):
Consider earning a graduate degree in INFOSEC
Increase your disaster recovery and risk management skills
Build a home laboratory
© Pearson Education Information Security: Principles and Practices

9. Becoming an Information Security Specialist cont.
Get on a project working with strategic partners
Take a second look at government jobs
© Pearson Education Information Security: Principles and Practices

10. Schools Are Responding to Demands
Hundreds of community colleges, four-year universities, and post-graduate programs are offering degrees and certificates in emergency preparedness, counterterrorism, and security
The National Security Agency Centers of Academic Excellence
© Pearson Education Information Security: Principles and Practices

11. Contextualizing Information Security
Information security draws upon the best practices and experiences from multiple domains
An organization’s security posture defines its tolerance for risk and outlines how it plans to protect information and resources within its charge. This posture is documented in standards, guidelines, and procedures that must exist long before a single program is written or a computer is installed.
© Pearson Education Information Security: Principles and Practices

12. Here are some key definitions Definitions
Computer Security - generic name for the collection of tools designed to protect data and to thwart hackers
Network Security - measures to protect data during their transmission
Internet Security - measures to protect data during their transmission over a collection of interconnected networks
Here are some key definitions, note boundaries between them are blurred.

13. Remember: Aim of Course
our focus is on Internet Security
which consists of measures to prevent, detect, and correct security violations that involve the transmission & storage of information
Detail the focus of this book/course, which is on Internet Security - being measures to detect, prevent, and correct security violations that involve the transmission & storage of information.

14. Aspects of Security consider 3 aspects of information security:
security attack
security mechanism
security service
Now we will define each aspect…
The OSI security architecture focuses on security attacks,mechanisms,and services. These can be defined briefly as follows:
• Security attack: Any action that compromises the security of information owned by an organization.
• Security mechanism: A process (or a device incorporating such a process) that is designed to detect, prevent,or recover from a security attack.
• Security service: A processing or communication service that enhances the security of the data processing systems and the information transfers of an organization.The services are intended to counter security attacks, and they make use of one or more security mechanisms to provide the service.

15. © Pearson Education Information Security: Principles and Practices
The OSI security architecture focuses on security attacks, mechanisms, and services. These can be defined briefly as follows:
Security attack: Any action that compromises the security of information owned by an organization.
Security mechanism: A process (or a device incorporating such a process) that is designed to detect, prevent, or recover from a security attack.
Security service: A processing or communication service that enhances the security of the data processing systems and the information transfers of an organization.
The services are intended to counter security attacks, and they make use of one or more security mechanisms to provide the service.
© Pearson Education Information Security: Principles and Practices

16. Passive Attacks
Have “passive attacks” which attempt to learn or make use of information from the system but does not affect system resources.
By eavesdropping on, or monitoring of, transmissions to:
+ obtain message contents (as shown above in Stallings Figure 1.3a), or
+ monitor traffic flows
Are difficult to detect because they do not involve any alteration of the data.

17. Have “passive attacks” which attempt to learn or make use of information from the system but does not affect system resources.
By eavesdropping on عن طريق التنصت على , or monitoring of, transmissions to:
+ obtain message contents (as shown above in Stallings Figure 1.3a), or
+ monitor traffic flows مراقبة تدفق حركة المرور
Are difficult to detect because they do not involve any alteration of the data.

18. Active Attacks By modification of data stream to:
Also have “active attacks” which attempt to alter system resources or affect their operation.
By modification of data stream to:
+ masquerade of one entity as some other
+ replay previous messages (as shown above in Stallings Figure 1.4b)
+ modify messages in transit
+ denial of service
Active attacks present the opposite characteristics of passive attacks. Whereas passive attacks are difficult to detect, measures are available to prevent their success. On the other hand, it is quite difficult to prevent active attacks absolutely, because of the wide variety of potential physical,software,and network vulnerabilities. Instead, the goal is to detect active attacks and to recover from any disruption or delays caused by them.

19. Also have “active attacks” which attempt to alter system resources or affect their operation.
By modification of data stream to: عن طريق تعديل تدفق البيانات إلى ما يلي :
+ masquerade of one entity as some other تتنكر في كيان واحد مثل الاخرين
replay previous messages (as shown above in Stallings Figure 1.4b)
+ modify messages in transit
+ denial of service

20. Security Service
enhance security of data processing systems and information transfers of an organization
intended to counter security attacksتهدف للتصدي لهجمات أمنية
using one or more security mechanisms
often replicates functions normally associated with physical documentsغالبا ما يكرر المهام المرتبطة عادة الوثائق المادية
which, for example, have signatures, dates; need protection from disclosure الكشف, tampering العبث, or destruction التدمير; be notarized مصدقة or witnessed; be recorded or licensed يتم تسجيلها أو ترخيصها
Consider the role of a security service, and what may be required.
Note both similarities and differences with traditional paper documents, which for example:
have signatures & dates;
need protection from disclosure, tampering, or destruction;
may be notarized or witnessed;
may be recorded or licensed

21. Consider the role of a security service, and what may be required.
Note both similarities and differences with traditional paper documents, which for example:
have signatures & dates;
need protection from disclosure, tampering, or destruction;
may be notarized or witnessed;
may be recorded or licensed

22. Security Services Examples
“a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers”
RFC 2828:
“a processing or communication service provided by a system to give a specific kind of protection to system resources”
Note: security services implement security policies and are implemented by security mechanisms.
Also have a couple of definition of “security services” from relevant standards. X.800 defines a security service as a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers. Perhaps a clearer definition is found in RFC 2828, which provides the following definition: a processing or communication service that is provided by a system to give a specific kind of protection to system resources; security services implement security policies and are implemented by security mechanisms.

23. Security Services Examples
“a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers”
RFC 2828:
“a processing or communication service provided by a system to give a specific kind of protection to system resources”
Note: security services implement security policies and are implemented by security mechanisms.
Also have a couple of definition of “security services” from relevant standards. X.800 defines a security service as a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers. Perhaps a clearer definition is found in RFC 2828, which provides the following definition: a processing or communication service that is provided by a system to give a specific kind of protection to system resources; security services implement security policies and are implemented by security mechanisms.

24. Information Security Careers Meet the Needs of Business
To support business operations a number of common positions and career opportunities are needed
Security administrators
Access coordinators
Security architects and network engineers
Security consultants
Security testers
© Pearson Education Information Security: Principles and Practices

25. © Pearson Education Information Security: Principles and Practices
Summary
The risks posed to networked systems remain to attacks from within and without an organization
© Pearson Education Information Security: Principles and Practices

26. © Pearson Education Information Security: Principles and Practices
Summary cont.
The explosive growth of e-commerce and business uses of the Internet have created a growing demand for INFOSEC specialists
© Pearson Education Information Security: Principles and Practices

27. © Pearson Education Information Security: Principles and Practices
Summary cont.
The principles, approaches, and concepts in INFOSEC should work together to provide the harmonious mix of risk that modern business demands
© Pearson Education Information Security: Principles and Practices