Unit 1: Introduction to Information Security
This course begins with an overview of information security and its evolution. This first section introduces the core goals of information security; the CIA triad. Some common information security terms and processes used in the information security industry are defined and outlined. Types of controls and their function are categorized so the learner can comprehend the design of a defense-in-depth system. The unit concludes with a justification of why humans are known as the weakest link in information security and describes how security awareness training can serve to mitigate this risk. The topics in this unit are in preparation for the more detailed security topics in the following units.
Completing this unit should take you approximately 6 hours.
1.1: The History and Evolution of Information Security
Let us begin our journey into learning about information security (IS). IS is less than sixty years old as its history began in the 1960s. Before the world wide web was developed, threats and security techniques were different from that of today where the use of cloud and mobile technologies are prevalent. Although threats and technologies have changed, their development is often derived from that of previous technologies. Therefore, it is important to understand these technologies and their evolution.
1.2: Confidentiality, Integrity, and Availability – The CIA Triad
As you learned in the previous section, the basis for information security (IS) was developed in the 1980s and is known as the confidentiality, integrity, and availability (CIA) triad. Information security professionals must have a good understanding of the CIA triad as it is the cornerstone of the profession. The goal for every security program is the protection of a system's CIA. System threats are evaluated on the impact they have on CIA. In this section, you should develop a good understanding of the components of the CIA triad. From here, you will build on these concepts to discover the mechanisms that can be used to protect each tenet of the triad as explained later in the course.
1.3: Threats, Vulnerabilities, and Risks
As an information security professional, you will be evaluating risks and conducting risk assessments. Three commonly used terms used in risk assessment are vulnerability, threat, and risk. These terms are closely related and often used interchangeably, but in IS the terms have very different meanings. A vulnerability is a system weakness, a threat is the potential to exploit a vulnerability, and a risk is the potential for loss. The equation used when evaluating risk is asset + vulnerability + threat = risk. To effectively manage and evaluate risk, an IS professional must understand the difference between these three terms, and this section will provide you with the information to differentiate between them.
1.4: The Risk Management Process
Now that you understand the differences between vulnerabilities, risks, and threats, we will look at how to manage risk. As an information security professional, you will be tasked to provide guidance on risk management, therefore you should be aware of industry standards for risk management and the risk management process. The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-39 is an industry standard for managing risks. This document provides information about the four steps of the risk management process: risk framing, risk assessment, risk response, and risk monitoring. While there is a lot of information presented here, it is most important to know the steps of the risk management process and the basics of what is involved in each process. Risk framing is the risk management strategy determined by senior leaders. Risk assessment is an evaluation of the vulnerabilities and threats on the system. Risk response is the determination of how to respond to the risk, and risk monitoring is the continuous management of risk. Since this section is about risk, we will go one step further and learn the formulas used to calculate risk and how to use these formulas.
1.5: The Incident Response ProcessRisk management attempts to prevent incidents from occurring, but incidents will still occur. Information security professionals prepare plans that guide them on how to respond to incidents before incidents happen. This guide is called an incident response plan. The plan includes four stages: preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity. Just as risk management has an industry standard published by the National Institute of Standards and Technology (NIST), incident management also has an industry standard guideline: NIST Special Publication (SP) 800-61. You should learn the four stages of the incident response plan, and the general idea behind each stage of the incident response plan in NIST SP 800-31. Further clarification for each stage is provided in a video.
1.6: Security Control
Risk management outlines risks that need to be managed, and then controls are put in place to protect against those risks. Controls can be in the form of administrative, technical, or physical controls, and can be further divided into deterrent, preventative, detective, and compensating. The functionality determines the type of control needed, as well as whether the control is protecting for confidentiality, availability, or integrity. For instance, a physical control can protect unauthorized access to a server room. A lock is a physical control that is preventative because it keeps a person from entering. Protecting against unauthorized access or viewing, would be protecting for confidentiality. This section will provide more detail to help you differentiate between between types of controls and their functions.
Now that you know about some security controls that can be used to protect a system, we will look at how to use more than one control to make the system even more secure. Using multiple controls is the most effective form of defense and is called defense-in-depth. Often, defense-in-depth is compared to the layers of an onion; when one layer of protection fails there is another layer underneath to provide protection. A simple example is an attack on your home network. If an attacker is successful in breaching your firewall, then the attacker can access your email. But if your email application is protected with a smart card then you have a second layer of protection. In this section, you should learn the concept of defense-in-depth and be able to propose a defense-in-depth strategy for a simple system.
1.8: Human Behavioral Risks
One risk that an information security (IS) professional needs to pay particular attention to is the human risk. Humans are the greatest risk to security, both internal and external to an organization. Why humans are considered the weakest link relates to human behavioral factors. Humans are social beings and may unintentionally, or intentionally, provide attackers with protected information. Attackers use a technique called social engineering to trick humans into providing valuable information. The best protection against social engineering is security awareness training and education. In this section, you will learn about social engineering and why humans are the weakest link. You will also learn the benefits and limitations of formal awareness training and computer-based training.
1.9: Security Frameworks
Many government regulations and security frameworks have been written to assist information security (IS) professionals in their role to protect information systems. Depending on the role or area of business of an IS professional, you will be concerned with one or several of these documents. Some general information is provided about ISO/IEC 27001, and this is the standard used across the IT industry. State and local governments focus on Federal Information Processing Standards (FIPS), and Control Objectives for Information and Related Technologies (COBIT) 5 was written for enterprise organizations. Any company that processes payment via cards must comply with the Payment Card Industry Data Security Standard (PCI DSS), and the Center for Internet Security (CIS) Top 20 controls map to PCI DSS. Information technology (IT) professionals often have many opportunities for movement within the career field. Consequently, you should have some basic knowledge of these frameworks and the basic knowledge for the type of business when each one would apply.
Unit 1 Assessment
- Receive a grade