1. Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332

2. Main Points Information Security and Policy Definition Key Security Concepts Key Security Concepts Relationship

3. Definition Information security is the practice of protecting information from unauthorized access, use, disclosure, alert, inspection, recording or damage. Information policy is the set of all public laws and regulations that control the creation, use, storage, access, and communication of information Information security policy A set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources.

4. Key Security Concepts Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information Integrity Guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity Availability Ensuring timely and reliable access to and use of information © 2016 PEARSON EDUCATION, INC., HOBOKEN, NJ. ALL RIGHTS RESERVED.

5. Cyber Security vs. Cyber Crime Cyber-Security: the protection of the confidentiality, integrity and availability of computer data and systems in order to enhance security, resilience, reliability and trust in ICT Figure: Cyber security (read box) and Cyber crime (blue box): ◦Commons ◦Differences

6. Key Security Concepts Asset: Anything that has value to the organization. ◦Tangible and Intangible assets. ◦Examples: Threat: A potential cause of an unwanted incident, which may result in harm to a system or organization ◦Capable of exploiting vulnerabilities ◦Source: Intentional and Unintentional threats ◦Origin: Human and natural ◦Examples: Exploit: A program or a “cookbook” on how to take advantage of a specific vulnerability Example:

7. Key Security Concepts Vulnerability: A weakness of an asset or group of assets that can be exploited by a threat ◦Vulnerability in: Code, Configuration, Design, Policy, Human, and Transfer ◦Example: ◦Categories of vulnerabilities ◦Corrupted (loss of integrity) ◦Leaky (loss of confidentiality) ◦Unavailable or very slow (loss of availability) Attack: is a threat that is carried out (threat action) and, if successful, leads to an undesirable violation of security, or threat consequence.

8. Key Security Concepts Risk: An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result. ◦Risk level increase when:  Threat level increase  Asset value increase  Vulnerability is found Risk = Threats x Vulnerabilities x Assets

9. Key Security Concepts

10. Importance of Key Security Concepts To avoid the threats: Know your self ◦Know the value of assets and information you have to be protected Know your threats you might face ◦Intentional and Unintentional threats Know your vulnerabilities you have ◦Scanning ◦Conducting ethical hacking (CEH holder) Response to the threats ◦Actions to be taken to avoid the threats ◦Actions to be taken when the threats occur

11. Key Security Concepts Security Control: Means of managing risk, including polices, procedures, guidelines, practices or organizational structures, which can be of administrative, technical, or management. ◦Example: Countermeasure: is an action, device, procedure, or technique that reduces a threat, vulnerability, or an attack ◦Example:

12. Key Security Concepts Relationship Ontology is a formal naming and definition of the types, properties, and interrelationships of the things (individual concepts) that really exist for a particular domain. Each individual concept has a relationship with one or more of other concepts. The ontology of the following figure has 5 top level classes: 1.asset, 2.Countermeasure (e.g. control), 3.organization, 4.threat and 5.vulnerability. These 5 classes are the most basic in security area Reference: Security Ontology for Adaptive Mapping of Security Standards S. Ramanauskait˙e, D. Olifer, N. Goranin, A. 2013

13. The overview of the concepts and relationships in the information security ontology

14. Key Security Concepts Relationship The previous ontology can be extended as shown in the following figure. The central elements are threats, vulnerabilities, controls, and their implementations. As soon as a threat exploits a physical, technical, or administrative weakness, it gives rise to follow-up threats, represents a potential danger to the organization’s assets, and affects specific security attributes (e.g., confidentiality, integrity, and/or availability). We also use potential threat origins (human or natural origin) and sources (accidental or deliberate source) to describe each threat. Each vulnerability is assigned a severity value and the asset on which it could be exploited. Decision makers have to implement controls to mitigate identified vulnerability and to protect the respective assets through preventive, corrective, recovery, or detective measures (control type). Reference: Mapping ISO 27002 into Security Ontology, Ferran Alcázar, Vienna, Austria, 2004

16. Computer and Network Assets, with Examples of Threats.

17. 17 Multiple domains and Information Security Information security draws upon the best practices and experiences from multiple domains including ◦Compliance, policies, and standards ◦Administration, auditing, access controls, and permission controls ◦Intrusion detection and prevention and incident response ◦Software development security ◦Physical security ◦Operations control ◦Public key infrastructure and key management ◦Disaster recovery ◦Security testing ◦Software development security ◦Antivirus solutions ◦Training and awareness