Documente Academic
Documente Profesional
Documente Cultură
Introduction to Information
Security Concepts
What is Security?
The quality or state of being
secureto be free from
danger
A successful organization
should have multiple layers of
security in place:
Physical security
Personal security
Operations security
Communications security
Network security
Information security
Personal security
Physical security
Physical security is the protection of personnel,
hardware, programs, networks, and data
from physical circumstances and events that
could cause serious losses or damage to an
enterprise, agency, or institution. This includes
protection from fire, natural disasters, burglary,
theft, vandalism, and terrorism.
Network security
Network security consists of the policies adopted
to prevent and monitor unauthorized access,
misuse, modification, or denial of a
computer network andnetwork-accessible
resources.
Network security involves the authorization of
access to data in a network, which is controlled
by the network administrator.
Confidentiality Policy:
A confidentiality policy typically states that only
authorised users are to be permitted to observe
sensitive data, and that all unauthorised users
are to be prohibited from such observation.
Integrity Policy
An integrity policy has two facets.
The first refers to the quality of the data that is stored in
the computer. The integrity policy will state that the
data should reflect reality to some degree. How best to
do this is the subject of much research activity.
The second facet of integrity policy is associated with the
data being available for use when it is legitimately
needed. No user, whether he or she is or is not
authorised to access some data item, should be able to
unreasonably delay or prohibit another authorised user
from legitimate access.
Availability Policy:
The computer system should be available for use
when it is needed, and it should satisfy some
specified requirements for its mean-time-tofailure and its mean-time-to-repair.
Vocabulary: Incident
Vocabulary: Threat
Vocabulary: Vulnerability
Vocabulary: Exploit
Vocabulary: Malware
And more...
Security Concepts
Authentication
Authenticity
Audit
Confidentiality
Access
Security Lifecycle
0 day
Configuration problems:
Logic flaws
Vulnerability Synergy
Sisyphean Task
Secure Design
Threat modeling
Penetration Testing
Black box
Gray box
Penetration testing
Some level of access and documentation
available
White box
Using Automation
Resource Allocation
Risk Calculations
Reputational damage
Misinformation
Moving Forward
Securing Components
Computer can be subject of an attack and/or the
object of an attack
When the subject of an attack, computer is used as
an active tool to conduct attack
When the object of an attack, computer is the entity
being attacked
Senior Management
Chief Information Officer (CIO)
Senior technology officer
Primarily responsible for advising senior executives on strategic
planning
Data Ownership
Data Owner: responsible for the security and use of
a particular set of information
Data Custodian: responsible for storage,
maintenance, and protection of information
Data Users: end users who work with information to
perform their daily jobs supporting the mission of
the organization
Communities Of Interest
Group of individuals united by similar interest/values
in an organization
Information Security Management and Professionals
Information Technology Management and
Professionals
Organizational Management and Professionals