Introduction to Information Security 3

LEARNING OBJECTIVES:
1
Upon completion of this material, you should be able to:
• Define information security
• Recount the history of computer security, and explain how it evolved into information security
• Define key terms and critical concepts of information security
• Enumerate the phases of the security systems development life cycle
• Describe the information security roles of professionals within an organization

Introduction
James Anderson, executive consultant at Emagined Security, Inc., believes information security
in an enterprise is a “well-informed sense of assurance that the information risks and controls
are in balance.” He is not alone in his perspective. Many information security practitioners
recognize that aligning information security needs with business objectives must be the top
priority.
This chapter’s opening scenario illustrates that the information risks and controls are not in
balance at Sequential Label and Supply. Though Amy works in a technical support role and
her job is to solve technical problems, it does not occur to her that a malicious software pro-
gram, like a worm or virus, might be the agent of the company’s current ills. Management
also shows signs of confusion and seems to have no idea how to contain this kind of incident.
If you were in Amy’s place and were faced with a similar situation, what would you do? How
would you react? Would it occur to you that something far more insidious than a technical
malfunction was happening at your company? As you explore the chapters of this book and
learn more about information security, you will become better able to answer these questions.
But before you can begin studying the details of the discipline of information security, you
must first know the history and evolution of the field.

The History of Information Security

The history of information security begins with computer security. The need for computer
security—that is, the need to secure physical locations, hardware, and software from threats—
arose during World War II when the first mainframes, developed to aid computations for com-
munication code breaking (see Figure 1-1), were put to use. Multiple levels of security were
implemented to protect these mainframes and maintain the integrity of their data. Access to sen-
sitive military locations, for example, was controlled by means of badges, keys, and the facial
recognition of authorized personnel by security guards. The growing need to maintain national
security eventually led to more complex and more technologically sophisticated computer secu-
rity safeguards.
During these early years, information security was a straightforward process composed pre-
dominantly of physical security and simple document classification schemes. The primary
threats to security were physical theft of equipment, espionage against the products of the sys-
tems, and sabotage. One of the first documented security problems that fell outside these cate-
gories occurred in the early 1960s, when a systems administrator was working on an MOTD

Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
 4 Chapter 1

Earlier versions of the German

code machine Enigma were
first broken by the Poles in the
1930s. The British and
Americans managed to break
later, more complex versions
during World War II. The
increasingly complex versions
of the Enigma, especially the
submarine or Unterseeboot
version of the Enigma, caused
considerable anguish to Allied
forces before finally being
cracked. The information
gained from decrypted
transmissions was used to
anticipate the actions of
German armed forces. ”Some
ask why, if we were reading
the Enigma, we did not win
the war earlier. One might ask,
instead, when, if ever, we
would have won the war if we
hadn’t read it.”1

Figure 1-1 The Enigma

Source: Courtesy of National Security Agency

(message of the day) file, and another administrator was editing the password file. A software
glitch mixed the two files, and the entire password file was printed on every output file.2

The 1960s
During the Cold War, many more mainframes were brought online to accomplish more com-
plex and sophisticated tasks. It became necessary to enable these mainframes to communicate
via a less cumbersome process than mailing magnetic tapes between computer centers. In
response to this need, the Department of Defense’s Advanced Research Project Agency
(ARPA) began examining the feasibility of a redundant, networked communications system
to support the military’s exchange of information. Larry Roberts, known as the founder of
the Internet, developed the project—which was called ARPANET—from its inception.
ARPANET is the predecessor to the Internet (see Figure 1-2 for an excerpt from the ARPA-
NET Program Plan).

The 1970s and 80s

During the next decade, ARPANET became popular and more widely used, and the potential
for its misuse grew. In December of 1973, Robert M. “Bob” Metcalfe, who is credited

Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
 Introduction to Information Security 5

Figure 1-2 Development of the ARPANET Program Plan3

Source: Courtesy of Dr. Lawrence Roberts

with the development of Ethernet, one of the most popular networking protocols, identified
fundamental problems with ARPANET security. Individual remote sites did not have suffi-
cient controls and safeguards to protect data from unauthorized remote users. Other pro-
blems abounded: vulnerability of password structure and formats; lack of safety procedures
for dial-up connections; and nonexistent user identification and authorization to the system.
Phone numbers were widely distributed and openly publicized on the walls of phone booths,
giving hackers easy access to ARPANET. Because of the range and frequency of computer
security violations and the explosion in the numbers of hosts and users on ARPANET, net-
work security was referred to as network insecurity.4 In 1978, a famous study entitled “Pro-
tection Analysis: Final Report” was published. It focused on a project undertaken by ARPA
to discover the vulnerabilities of operating system security. For a timeline that includes this
and other seminal studies of computer security, see Table 1-1.
The movement toward security that went beyond protecting physical locations began with a
single paper sponsored by the Department of Defense, the Rand Report R-609, which
attempted to define the multiple controls and mechanisms necessary for the protection of a
multilevel computer system. The document was classified for almost ten years, and is now
considered to be the paper that started the study of computer security.
The security—or lack thereof—of the systems sharing resources inside the Department of
Defense was brought to the attention of researchers in the spring and summer of 1967. At
that time, systems were being acquired at a rapid rate and securing them was a pressing con-
cern for both the military and defense contractors.

Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
 6 Chapter 1

Date Documents
1968 Maurice Wilkes discusses password security in Time-Sharing Computer Systems.

1973 Schell, Downey, and Popek examine the need for additional security in military systems in
“Preliminary Notes on the Design of Secure Military Computer Systems.”5

1975 The Federal Information Processing Standards (FIPS) examines Digital Encryption Standard (DES) in
the Federal Register.

1978 Bisbey and Hollingworth publish their study “Protection Analysis: Final Report,” discussing the
Protection Analysis project created by ARPA to better understand the vulnerabilities of operating
system security and examine the possibility of automated vulnerability detection techniques in
existing system software.6

1979 Morris and Thompson author “Password Security: A Case History,” published in the Communications
of the Association for Computing Machinery (ACM). The paper examines the history of a design for a
password security scheme on a remotely accessed, time-sharing system.

1979 Dennis Ritchie publishes “On the Security of UNIX” and “Protection of Data File Contents,” discussing
secure user IDs and secure group IDs, and the problems inherent in the systems.

1984 Grampp and Morris write “UNIX Operating System Security.” In this report, the authors examine four
“important handles to computer security”: physical control of premises and computer facilities,
management commitment to security objectives, education of employees, and administrative
procedures aimed at increased security.7

1984 Reeds and Weinberger publish “File Security and the UNIX System Crypt Command.” Their premise
was: “No technique can be secure against wiretapping or its equivalent on the computer. Therefore
no technique can be secure against the systems administrator or other privileged users … the naive
user has no chance.”8

Table 1-1 Key Dates for Seminal Works in Early Computer Security

In June of 1967, the Advanced Research Projects Agency formed a task force to study the
process of securing classified information systems. The Task Force was assembled in October
of 1967 and met regularly to formulate recommendations, which ultimately became the con-
tents of the Rand Report R-609.9
The Rand Report R-609 was the first widely recognized published document to identify the
role of management and policy issues in computer security. It noted that the wide utilization
of networking components in information systems in the military introduced security risks
that could not be mitigated by the routine practices then used to secure these systems.10 This
paper signaled a pivotal moment in computer security history—when the scope of computer
security expanded significantly from the safety of physical locations and hardware to include
the following:
Securing the data
Limiting random and unauthorized access to that data
Involving personnel from multiple levels of the organization in matters pertaining to
information security

MULTICS Much of the early research on computer security centered on a system called
Multiplexed Information and Computing Service (MULTICS). Although it is now obsolete,
MULTICS is noteworthy because it was the first operating system to integrate security into

Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
 Introduction to Information Security 7

its core functions. It was a mainframe, time-sharing operating system developed in the mid-
1960s by a consortium of General Electric (GE), Bell Labs, and the Massachusetts Institute 1
of Technology (MIT).
In mid-1969, not long after the restructuring of the MULTICS project, several of its develo-
pers (Ken Thompson, Dennis Ritchie, Rudd Canaday, and Doug McIlro) created a new
operating system called UNIX. While the MULTICS system implemented multiple security
levels and passwords, the UNIX system did not. Its primary function, text processing, did
not require the same level of security as that of its predecessor. In fact, it was not until the
early 1970s that even the simplest component of security, the password function, became a
component of UNIX.
In the late 1970s, the microprocessor brought the personal computer and a new age of com-
puting. The PC became the workhorse of modern computing, thereby moving it out of the
data center. This decentralization of data processing systems in the 1980s gave rise to net-
working—that is, the interconnecting of personal computers and mainframe computers,
which enabled the entire computing community to make all their resources work together.

The 1990s
At the close of the twentieth century, networks of computers became more common, as did
the need to connect these networks to each other. This gave rise to the Internet, the first
global network of networks. The Internet was made available to the general public in the
1990s, having previously been the domain of government, academia, and dedicated industry
professionals. The Internet brought connectivity to virtually all computers that could reach a
phone line or an Internet-connected local area network (LAN). After the Internet was com-
mercialized, the technology became pervasive, reaching almost every corner of the globe
with an expanding array of uses.
Since its inception as a tool for sharing Defense Department information, the Internet has
become an interconnection of millions of networks. At first, these connections were based
on de facto standards, because industry standards for interconnection of networks did not
exist at that time. These de facto standards did little to ensure the security of information
though as these precursor technologies were widely adopted and became industry standards,
some degree of security was introduced. However, early Internet deployment treated security
as a low priority. In fact, many of the problems that plague e-mail on the Internet today are
the result of this early lack of security. At that time, when all Internet and e-mail users were
(presumably trustworthy) computer scientists, mail server authentication and e-mail encryp-
tion did not seem necessary. Early computing approaches relied on security that was built
into the physical environment of the data center that housed the computers. As networked
computers became the dominant style of computing, the ability to physically secure a net-
worked computer was lost, and the stored information became more exposed to security
threats.

2000 to Present
Today, the Internet brings millions of unsecured computer networks into continuous commu-
nication with each other. The security of each computer’s stored information is now contin-
gent on the level of security of every other computer to which it is connected. Recent years
have seen a growing awareness of the need to improve information security, as well as a real-
ization that information security is important to national defense. The growing threat of

Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
 8 Chapter 1

cyber attacks have made governments and companies more aware of the need to defend the
computer-controlled control systems of utilities and other critical infrastructure. There is also
growing concern about nation-states engaging in information warfare, and the possibility
that business and personal information systems could become casualties if they are
undefended.

What Is Security?
In general, security is “the quality or state of being secure—to be free from danger.”11 In
other words, protection against adversaries—from those who would do harm, intentionally
or otherwise—is the objective. National security, for example, is a multilayered system that
protects the sovereignty of a state, its assets, its resources, and its people. Achieving the appro-
priate level of security for an organization also requires a multifaceted system.
A successful organization should have the following multiple layers of security in place to pro-
tect its operations:
Physical security, to protect physical items, objects, or areas from unauthorized access
and misuse
Personnel security, to protect the individual or group of individuals who are autho-
rized to access the organization and its operations
Operations security, to protect the details of a particular operation or series of
activities
Communications security, to protect communications media, technology, and content
Network security, to protect networking components, connections, and contents
Information security, to protect the confidentiality, integrity and availability of infor-
mation assets, whether in storage, processing, or transmission. It is achieved via the
application of policy, education, training and awareness, and technology.
The Committee on National Security Systems (CNSS) defines information security as the
protection of information and its critical elements, including the systems and hardware that
use, store, and transmit that information.12 Figure 1-3 shows that information security
includes the broad areas of information security management, computer and data security,
and network security. The CNSS model of information security evolved from a concept devel-
oped by the computer security industry called the C.I.A. triangle. The C.I.A. triangle has been
the industry standard for computer security since the development of the mainframe. It is
based on the three characteristics of information that give it value to organizations: confidenti-
ality, integrity, and availability. The security of these three characteristics of information is as
important today as it has always been, but the C.I.A. triangle model no longer adequately
addresses the constantly changing environment. The threats to the confidentiality, integrity,
and availability of information have evolved into a vast collection of events, including acciden-
tal or intentional damage, destruction, theft, unintended or unauthorized modification, or
other misuse from human or nonhuman threats. This new environment of many constantly
evolving threats has prompted the development of a more robust model that addresses
the complexities of the current information security environment. The expanded model con-
sists of a list of critical characteristics of information, which are described in the next

Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.