Information Security
by Mark Merkow and Jim Breithaupt
Chapter 1: Why Study Information Security?
Objectives



Recognize the growing importance of
information security specialists
Develop a strategy for pursuit of a career in
information security
Comprehend information security in the
context of the mission of a business
© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition
2
Introduction


To protect computers, networks, and the
information they store, organizations are
increasingly turning to information security
specialists
An information security specialist is more
than a technician who prevents hackers
from attacking a web site
© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition
3
Introduction (cont.)


We begin by trying to answer the first
question most students starting out in the
field ask: Why study information security?
In this book, we’ll examine both practical
and theoretical skills security specialists
use to protect information systems
© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition
4
The Growing Importance of IT Security
and New Career Opportunities


Increased services to both vendors and employees
create worlds of possibilities in satisfying customer
needs, but …
They also create risks to the confidentiality,
integrity, and availability of confidential or
sensitive data
© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition
5
Increasing Demand by Government
and Private Industry


The number of information security specialist is
expected to grow 36% from 2012 to 2022
Higher demand for expertly trained individuals

U.S. Bureau of Labor Statistics



The security of computer networks will continue to increase in
importance as more business is conducted over the Internet
There will be a high demand of managers proficient in computer
security issues
Source: www.collegegrad.com/careers/manage30.shtml
© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition
6
Aim of Course

Our focus is on Information Security which
consists of measures to deter, prevent, detect,
and correct security violations that involve the
transmission & storage of information
1-[ 7]
Aim of Course
1-[ 8]
Becoming an Information Security
Specialist


Getting a degree in information security will involve
taking classes in security architecture, laws and ethics,
access control, disaster recovery and planning
Get the right certification






Certified Information Systems Security Professional (CISSP)
System Security Certified Practitioner (SSCP)
Global Information Assurance Certification (GIAC):www.giac.org
Consider earning a graduate degree in INFOSEC
Increase your disaster recovery and risk management
skills
Build a home laboratory
© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition
9
Becoming an Information Security
Specialist (cont.)




Give something back to the INFOSEC community
Get on a project working with strategic partners
Consider an internship in IS
Take a second look at government jobs
© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition
10
Schools Are Responding to Demands

Hundreds of community colleges, 4-year
universities, and post-graduate programs are
offering degrees and certificates in emergency
preparedness, counterterrorism, and security

Department of Homeland Security supports the Naval
Postgraduate School for Homeland Defense and Security
© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition
11
Multidisciplinary Approach


Security professionals must think like business
leaders
Exposure to nontechnical areas gives INFOSEC
professionals a greater ability to address and
resolve complex problems


Including probability and statistics, psychology, English,
foreign languages, philosophy, ethics, history, and so on
A wide range of educational experiences is a good
foundation for an INFOSEC career
© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition
12
Contextualizing Information Security

Information security draws upon the best practices and
experiences from multiple domains including












Compliance, policies, and standards
Administration, auditing, access controls, and permission controls
Intrusion detection and prevention and incident response
Software development security
Physical security
Operations control
Public key infrastructure and key management
Disaster recovery
Security testing
Software development security
Antivirus solutions
Training and awareness
© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition
13
Information Security Careers Meet
the Needs of Business

To support business operations a number of
common positions and career opportunities
are needed




Security administrators
Access coordinators
Security architects and network engineers
Security consultants
© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition
14
Information Security Careers Meet
the Needs of Business (cont.)





Security testers
Policymakers and standards developers
Compliance officers
Incident response team members
Governance and vendor managers
© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition
15
Aspects of Security

Consider 3 aspects of information security:



Security attack
Security mechanism
Security service
1 - [ 16 ]
Attacks, Services and
Mechanisms



Security Attack: Any action that
compromises the security of information.
Security Mechanism: A mechanism that is
designed to detect, prevent, or recover from a
security attack.
Security Service: A service that enhances
the security of data processing systems and
information transfers. A security service
makes use of one or more security mechanisms.
1 - [ 17 ]
Security Threat





Any action that compromises the security of
information owned by an organization
Information security is about how to prevent
attacks, or failing that, to detect attacks on
information-based systems
Often threat & attack used to mean same thing
Have a wide range of attacks
Can focus of generic types of attacks


Passive
Active
1 - [ 18 ]
Security Threats
1 - [ 19 ]
Security Attacks


Interruption: This is an attack on availability
Interception: This is an attack on
confidentiality

Modification: This is an attack on integrity

Fabrication: This is an attack on authenticity
1 - [ 20 ]
Security Goals
Confidentiality
Integrity
Avaliability
1 - [ 21 ]
Types of Security Threats
1 - [ 22 ]
Passive Attacks
1 - [ 23 ]
Active Attacks
1 - [ 24 ]
Summary



Networked systems remain vulnerable to
attacks from within and outside an organization
The explosive growth of e-commerce and the
pervasive personal and business uses of the
Internet have created a growing demand for
information security professionals
The principles, approaches, and concepts in
INFOSEC should work together to provide the
harmonious mix of risk and reward that modern
business demands
© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition
25