Quick Quizzes - At a Glance Instructor’s Manual Table of Cont...

1-1

Chapter 1

Introduction to Information Security

At a Glance

Instructor’s Manual Table of Contents

• Overview

• Objectives

• Teaching Tips

• Quick Quizzes

• Class Discussion Topics

• Additional Projects

• Additional Resources

• Key Terms

(Guide to Network Security 1e Michael Whitman, Herbert Mattord, David Mackey, Andrew Green) (Instructor Manual) 1 / 4

Guide to Network Security, 1st Edition 1-2

Lecture Notes

Overview

Network security is a critical component in the day-to-day IT operations of nearly every organization in business today. This chapter offers an overview of the entire field of information security and its effects on network security.

Objectives

• Explain the relationships among the component parts of information security, especially network security • Define the key terms and critical concepts of information and network security • Explain the business need for information and network security • Identify the threats posed to information and network security, as well as the common attacks associated with those threats • Distinguish between threats to information from within systems and attacks against information from within systems • Describe the organizational roles of information and network security professionals • Define management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines • Discuss how an organization institutionalizes policies, standards, and practices using education, training, and awareness programs

Teaching Tips

Introduction

• Before learning how to plan, design, and implement network security, it is important

that students understand the larger topic of information security and how the components of network security fit into this topic.

What Is Information Security?

• Information security (InfoSec) is the protection of information and its critical elements,

including the systems and hardware that use, store, and transmit that information. Note that in order to protect information and its related systems, organizations must integrate

the following security layers:

▪ Network security ▪ Physical security ▪ Personal security ▪ Operations security ▪ Communications security

• / 4

Guide to Network Security, 1st Edition 1-3

Information Security Terminology

• The following terms and concepts are essential to any discussion of information security

(use Figures 1-1 and 1-2 to aid the discussion):

▪ Access ▪ Asset ▪ Attack ▪ Control, safeguard, or countermeasure ▪ Exploit ▪ Exposure ▪ Intellectual Property ▪ Loss ▪ Protection profile or security posture ▪ Risk ▪ Subjects ▪ Threat ▪ Threat agent ▪ Vulnerability

Critical Characteristics of Information

1. Discuss the following characteristics of information:

▪ Availability ▪ Accuracy ▪ Authenticity ▪ Confidentiality ▪ Data owners ▪ Data custodians ▪ Data users ▪ Integrity ▪ Utility ▪ Possession ▪ Privacy

Security Models

• Introduce the term C.I.A. triad. Use Figure 1-3 to aid the discussion.

• Note that the definition of information security presented earlier in this chapter is based

in part on a document called the U.S. National Training Standard for Information Security Professionals NSTISSI No. 4011, which was published by the U.S. Committee on National Security Systems (CNSS).

• Introduce the term McCumber Cube. Use Figure 1-4 to aid the discussion.

• / 4

Guide to Network Security, 1st Edition 1-4

Balancing Information Security and Access

• Point out that in order to operate an information system to the satisfaction of the user

and the security professional, the level of security must allow reasonable access, yet protect against threats.

Business Needs First

• Discuss the important organizational functions performed by an information system.

2. The following topics should be discussed:

▪ Protecting the Functionality of an Organization: Note that the management of information security to protect an organization’s ability to function has more to do with policy and enforcement than with the technology of its implementation.

▪ Enabling the Safe Operation of Applications: Because the majority of a

business’s critical data resides in complex IT applications, today’s organizations are under immense pressure to acquire and operate integrated, efficient, and capable applications.▪ Protecting Data that Organizations Collect and Use: An important point to make is that protecting data in motion and data at rest are both critical aspects of information security. The value of data motivates attackers to steal, sabotage, or corrupt it.▪ Safeguarding Technology Assets in Organizations: Note that in order to perform effectively, organizations must add secure infrastructure services matching the size and scope of the enterprise assets.

Quick Quiz 1

• The term ____ refers to the organizational resource that is being protected.

Answer: asset

• The term ____ refers to an intentional or unintentional act that can cause damage to or

otherwise compromise the information and/or the systems that support it.

Answer: attack

• The term ____ refers to a condition or state of being exposed. In information security,

exposure exists when a vulnerability known to an attacker is present.

Answer: exposure

• The term ____ refers to the probability that something unwanted will happen.

Answer: risk

• / 4