Unit 1: Introduction to Information Security
This course begins with an overview of information security and its evolution. This first section introduces the core goals of information security; the CIA triad. Some common information security terms and processes used in the information security industry are defined and outlined. Types of controls and their function are categorized so the learner can comprehend the design of a defense-in-depth system. The unit concludes with a justification of why humans are known as the weakest link in information security and describes how security awareness training can serve to mitigate this risk. The topics in this unit are in preparation for the more detailed security topics in the following units.
Completing this unit should take you approximately 6 hours.
Upon successful completion of this unit, you will be able to:
- discuss how the need for information security has changed as information technology has evolved;
- explain how confidentiality, integrity, and availability (CIA triad) applies to information security;
- compare threats, vulnerabilities, and risks;
- list steps in the risk management process;
- assess the stages of the incident response process;
- categorize security controls by type (administrative, physical, or technical) and function (preventive, detective, deterrent, or compensating);
- propose a defense-in-depth security strategy;
- explain why humans are the weakest link in security and how human behavior can be modified through security awareness and training programs; and
- describe the purpose of prominent security frameworks.
1.1: The History and Evolution of Information Security
Let us begin our journey into learning about information security (IS). IS is less than sixty years old as its history began in the 1960s. Before the world wide web was developed, threats and security techniques were different from that of today where the use of cloud and mobile technologies are prevalent. Although threats and technologies have changed, their development is often derived from that of previous technologies. Therefore, it is important to understand these technologies and their evolution.
This exhibit gives a history of the evolution of users, key technologies, threats, concerns, and security techniques in information security since 1960. Click on the links in the pre-web computing (1960s-'90s), open web (1990s-2000s), and mobile and cloud (2000s-future) section. What were the threats and concerns of each time period? How did security technology or techniques develop in response to those threats?
- To begin, review this timeline on the history and development of information security. What was the role of the US Department of Defense (DoD) in the evolution of information security? Who or what were the influencers in the development of the confidentiality, availability, and integrity (CIA) triad?
1.2: Confidentiality, Integrity, and Availability – The CIA Triad
As you learned in the previous section, the basis for information security (IS) was developed in the 1980s and is known as the confidentiality, integrity, and availability (CIA) triad. Information security professionals must have a good understanding of the CIA triad as it is the cornerstone of the profession. The goal for every security program is the protection of a system's CIA. System threats are evaluated on the impact they have on CIA. In this section, you should develop a good understanding of the components of the CIA triad. From here, you will build on these concepts to discover the mechanisms that can be used to protect each tenet of the triad as explained later in the course.
- The basis for information security is the CIA triad. After you watch this video, you should be able to define the three principles of confidentiality, integrity, and availability as they relate to information security and the protection of data.
1.3: Threats, Vulnerabilities, and Risks
As an information security professional, you will be evaluating risks and conducting risk assessments. Three commonly used terms used in risk assessment are vulnerability, threat, and risk. These terms are closely related and often used interchangeably, but in IS the terms have very different meanings. A vulnerability is a system weakness, a threat is the potential to exploit a vulnerability, and a risk is the potential for loss. The equation used when evaluating risk is asset + vulnerability + threat = risk. To effectively manage and evaluate risk, an IS professional must understand the difference between these three terms, and this section will provide you with the information to differentiate between them.
- This video explains threats and vulnerabilities, how they apply to information security, and how they can reduce or compromise the confidentiality, integrity, and availability (CIA) of a system. What is the difference between a threat and a vulnerability? What are threats and vulnerabilities in the context of information systems?
Read section 1.3. When you are new to the information security industry, you may use the words vulnerability, threat, and risk interchangeably, though they actually have very different meanings. As you read, think about the differences between these terms and try to explain each term in the context of information security.
1.4: The Risk Management Process
Now that you understand the differences between vulnerabilities, risks, and threats, we will look at how to manage risk. As an information security professional, you will be tasked to provide guidance on risk management, therefore you should be aware of industry standards for risk management and the risk management process. The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-39 is an industry standard for managing risks. This document provides information about the four steps of the risk management process: risk framing, risk assessment, risk response, and risk monitoring. While there is a lot of information presented here, it is most important to know the steps of the risk management process and the basics of what is involved in each process. Risk framing is the risk management strategy determined by senior leaders. Risk assessment is an evaluation of the vulnerabilities and threats on the system. Risk response is the determination of how to respond to the risk, and risk monitoring is the continuous management of risk. Since this section is about risk, we will go one step further and learn the formulas used to calculate risk and how to use these formulas.
- Risk can never be eliminated, but it can be managed using the risk management process. The National Institute of Standards and Technology (NIST) 800 series documents are well-known and accepted as industry standards in information security. Review the NIST SP 800-39, a special publication that outlines a process on how to manage information security risks. Read pages 32-45 for a detailed explanation of the risk management process. Pay attention to the general description for each step in the process: framing risk, assessing risk, responding to risk, and monitoring risk. After you read, you should be able to explain the order of the steps in the process and what happens during in each step.
Read this page and watch the video to learn more about the purpose of risk management and the four stages of the risk management process. Before you move on, make sure you have a good understanding of the formulas, and that you are able to use the formulas on this page to calculate single loss expectancy (SLE), annual rate of occurrence (ARO), and annual loss expectancy (ALE).
- Watch this video, which discusses the risk management process practically. How does this reinforce the actions taken in each step of the process from NIST SP 800-39 that you read earlier?
1.5: The Incident Response ProcessRisk management attempts to prevent incidents from occurring, but incidents will still occur. Information security professionals prepare plans that guide them on how to respond to incidents before incidents happen. This guide is called an incident response plan. The plan includes four stages: preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity. Just as risk management has an industry standard published by the National Institute of Standards and Technology (NIST), incident management also has an industry standard guideline: NIST Special Publication (SP) 800-61. You should learn the four stages of the incident response plan, and the general idea behind each stage of the incident response plan in NIST SP 800-31. Further clarification for each stage is provided in a video.
- Even though information security professionals plan to effectively manage risk, incidents still occur. NIST SP 800-61 is the National Institute of Standards and Technology (NIST) special publication that gives guidelines for organizations on how to handle security incidents. Read section 2.2 on page 6 to learn more about the need for, and the benefits of, an incident response capability. Also read section 3 on pages 21-44 to learn how to appropriately handle information security incidents. Before you move on, make sure you can explain the four stages of the incident response process: preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity.
- This video explains how the incident response plan for detection and countermeasures is perpetual, and expands on the stages of the incident response process.
1.6: Security Control
Risk management outlines risks that need to be managed, and then controls are put in place to protect against those risks. Controls can be in the form of administrative, technical, or physical controls, and can be further divided into deterrent, preventative, detective, and compensating. The functionality determines the type of control needed, as well as whether the control is protecting for confidentiality, availability, or integrity. For instance, a physical control can protect unauthorized access to a server room. A lock is a physical control that is preventative because it keeps a person from entering. Protecting against unauthorized access or viewing, would be protecting for confidentiality. This section will provide more detail to help you differentiate between between types of controls and their functions.
You learned about the goals of security based on the CIA triad from a previous section, and you have an understanding of the terms vulnerability, threats and risks. Now, watch this video to understand the types of controls and their functions to ensure the confidentiality, availability, and integrity of information systems.
Controls are broken down into control types such as administrative, physical, and technical. Read this section, which will help you differentiate between administrative, technical, and physical control types.
- Controls are further broken down into control functions. Watch this video to learn how to categorize controls by control function as either preventive, detective, deterrent, or compensating.
Now that you know about some security controls that can be used to protect a system, we will look at how to use more than one control to make the system even more secure. Using multiple controls is the most effective form of defense and is called defense-in-depth. Often, defense-in-depth is compared to the layers of an onion; when one layer of protection fails there is another layer underneath to provide protection. A simple example is an attack on your home network. If an attacker is successful in breaching your firewall, then the attacker can access your email. But if your email application is protected with a smart card then you have a second layer of protection. In this section, you should learn the concept of defense-in-depth and be able to propose a defense-in-depth strategy for a simple system.
Defense-in-depth is a layered strategy to provide security to information systems. The layers are often comparted to the layers of an onion, when one layer is peeled back there is another layer of defense or protection. Watch the first two minutes of this video for an introduction to the concept of defense-in-depth.
Watch this video from 24:00 to 27:00 for a practical example of how layers of defense protect a system when defense-in-depth mechanisms are in place.
Read the section on defense-in-depth. Pay attention to how it compares defense-in-depth to protecting of a castle, and note how it recalls the CIA triad. After you read, you should be able to explain the concept of defense-in-depth and be able to propose a defense-in-depth security strategy for a simple system.
1.8: Human Behavioral Risks
One risk that an information security (IS) professional needs to pay particular attention to is the human risk. Humans are the greatest risk to security, both internal and external to an organization. Why humans are considered the weakest link relates to human behavioral factors. Humans are social beings and may unintentionally, or intentionally, provide attackers with protected information. Attackers use a technique called social engineering to trick humans into providing valuable information. The best protection against social engineering is security awareness training and education. In this section, you will learn about social engineering and why humans are the weakest link. You will also learn the benefits and limitations of formal awareness training and computer-based training.
So far, we have discussed security control types and functions and how layers of controls provide defense-in-depth. These controls protect data from outside threats, but an even greater area of concern is the "inside threat" – people. Read the introduction and the two sections on social engineering in this article about the human factor. Why are people a threat to information security?
Humans are the weakest link in information security. Giving someone access to information systems involves an element of trust. Watch this video about how people, not machines, are the biggest concern in cybersecurity. Then, read this article, which describes how humans the last line of defense for an organization. How can people, either intentionally or unintentionally, expose their organizations to risks?
The most effective way to combat the risk posed by people is to provide formal security awareness training. Read this section on conducting a formal security awareness training. Once read, you should understand the need for training programs, the types of security awareness training, and how to evaluate a training program.
Although formal training is the most effective way to build security awareness, computer-based training is another option. Read this section on delivering security awareness training. After you read, you should be able to explain the benefits and limitations of computer-based and instructor-led security awareness training. How can human behavior be modified through security awareness and training programs?
1.9: Security Frameworks
Many government regulations and security frameworks have been written to assist information security (IS) professionals in their role to protect information systems. Depending on the role or area of business of an IS professional, you will be concerned with one or several of these documents. Some general information is provided about ISO/IEC 27001, and this is the standard used across the IT industry. State and local governments focus on Federal Information Processing Standards (FIPS), and Control Objectives for Information and Related Technologies (COBIT) 5 was written for enterprise organizations. Any company that processes payment via cards must comply with the Payment Card Industry Data Security Standard (PCI DSS), and the Center for Internet Security (CIS) Top 20 controls map to PCI DSS. Information technology (IT) professionals often have many opportunities for movement within the career field. Consequently, you should have some basic knowledge of these frameworks and the basic knowledge for the type of business when each one would apply.
While working in the area of information security, it is important to have an understanding of the common security standards or frameworks. While reading this article, you will obtain some knowledge of the controls specified by ISO/IEC 27001, the Federal Information Processing Standards (FIPS), the NIST cybersecurity framework and NIST Special Publication 800-53, as well as COBIT5.
The Center for Internet Security (CIS) has developed 20 controls called the CIS Top 20, to secure an organization's system against cyber attacks or threats. While watching, pay attention to the 20 controls. You are not expected to memorize all 20 controls, but it is important to know the first six controls as the implementation of these controls will protect against approximately 91 percent of security breaches.
The Payment Card Industry Data Security Standard (PCI DSS) is a standard that protects the security of credit card data. While watching this video you will learn about the penalties that can be inflicted on a business for non-compliance with PCI DSS. What are some of the requirements of PCI DSS compliance?
Unit 1 Assessment
- Receive a grade
Take this assessment to see how well you understood this unit.
- This assessment does not count towards your grade. It is just for practice!
- You will see the correct answers when you submit your answers. Use this to help you study for the final exam!
- You can take this assessment as many times as you want, whenever you want.