Data and System Security

Chapter1InformationSecurityOverviewIM.pptx

Home >Computer Science homework help > Data and System Security

Chapter 1

Information Security Overview

Introduction

This chapter is about the philosophy and methodology that inform the core principles and practices of a successful and effective security program.

It introduces the fundamentals of security, the importance of security and the best way to go about it, and focuses primarily on philosophies that underpin security.

The Importance of Information Protection

Information is an important asset.

The more information you have at your command, the better you can adapt to the world around you.

In business, information is often one of the most important assets a company can possess.

Information differentiates companies and provides leverage that helps one company become more successful than another.

Information Security Overview

Key questions to ask before embarking on any security endeavor:

What are you trying to protect?

Why are you trying to protect it?

How will you protect it?

We cover some background information and axioms, ideologies, reasoning, values, and viewpoints you should keep in mind whenever you are considering security tools and techniques.

The Evolution of Information Security

Justifying Security Investment

Business Agility

Cost Reduction

Portability

By improving access to the information that drives its business, every company can expand its business influence on a global scale, regardless of the company’s size or location.

Information, one of the most important assets a company can possess, is even more valuable when shared with those authorized to have it.

Modern security practices provide information to those who need it without exposing it to those who should not have it.

Security Methodology

The Three Ds of Security

Defensive measures reduce the likelihood of a successful compromise of valuable assets, thereby lowering risk and potentially saving the expense of incidents that might otherwise not be avoided.

Another aspect of security is detection. In order to react to a security incident, you first need to know about it.

Deterrence is another aspect of security. It is considered to be an effective method of reducing the frequency of security compromises, and thereby the total loss due to security incidents.

How to Build a Security Program

Authority

Framework

Assessment

Planning

Action

Maintenance

Begin with describing what is needed and why, and to proceed to define how it will be implemented, when, and using which particular methods.

The Impossible Job

The job of the attacker is always

easier than the job of the defender.

The attacker needs only to find one weakness, while the defender must try to cover all possible vulnerabilities.

The attacker has no rules—he can follow unusual paths, abuse the trust of the system, or resort to destructive practices.

The defender must try to keep his assets intact, minimize damage, and keep costs down—like fighting off a horde of spider monkeys with only two arms.

The Weakest Link

A security infrastructure will drive an attacker to the weakest link.

The weakest link will attract the greatest number of attacks.

Business Processes vs. Technical Controls

In security, there is no magic bullet.

Business processes should determine the choice of tools, and the tools are used to facilitate the business processes—not the other way around.

Before selecting security products, the business processes must be identified so that security products can be chosen that fit appropriately into the business environment.

Summary

Security should solve specific problems consistent with clearly identified requirements.

Security benefits business by reducing costs and creating new revenue opportunities.

Security can be thought of in the context of the three Ds:

Defense – reduces misuse and accidents

Detection – provides visibility into good and bad activities

Deterrence – discourages unwanted behavior

Strategies are used to manage proactive security efforts, and tactics are used to manage reactive security efforts.