The Basics of Information Security: Understanding the Fundamentals of InfoSec in Theory and Practice

Paperback (Print)
Rent
Rent from BN.com
$7.45
(Save 75%)
Est. Return Date: 10/27/2014
Used and New from Other Sellers
Used and New from Other Sellers
from $20.62
Usually ships in 1-2 business days
(Save 31%)
Other sellers (Paperback)
  • All (5) from $20.62   
  • New (1) from $20.62   
  • Used (4) from $20.69   

Overview

As part of the Syngress Basics series, The Basics of Information Security provides you with fundamental knowledge of information security in both theoretical and practical aspects. It covers the basic knowledge needed to understand the key concepts of confidentiality, integrity, and availability. Then it dives into practical applications of these ideas in the areas of operational, physical, network, application, and operating system security.


  • Learn about information security without wading through huge manuals

  • Covers both theoretical and practical aspects of information security

  • Gives a broad view of the information security field for practitioners, students, and enthusiasts
Read More Show Less

Editorial Reviews

From the Publisher
"The book includes illustrations and figures demonstrating key information security ideas, alerts to make the reader aware of particular insights, more advanced details for those wishing to do their own research above and beyond the contents of the book, and real world example summaries pertaining to key terms throughout the book. There is also an accessible bibliography mainly made up of online resources. The exercises at the end of each chapter also make this a good book for a first year security college class...All in all, this book is for those new to information security and for persons who are looking to learn about underlying concepts which underpin what is at the heart of information security in organizations."—Computers and Security

"This book is a great primer for anyone who wants to get into cybersecurity. It methodically covers the key principles in a easy to understand flow that builds on itself. I recommend this book for anyone who wants to be able to intelligently discuss cybersecurity at work or in social settings."--Steve Winterfeld, Author of Cyber Warfare and CISSP/PMP

"The Basics of Digital Forensics is extremely easy to read and understand, and tackles the topic in a very broad manner. All in all, it's a perfect book for those who are interested in the subject and for gauging whether they might be interested in finding out more about it in the future."—HelpNetSecurity

"The complexity of Information Security is oftentimes overwhelming to those individuals new to the field. Unfortunately, there are too few resources available that can provide a clear and comprehensive understanding of InfoSec. This book rectifies this shortage and provides readers a comprehensive discussion on what every security professional should knowintimately." - Thomas Wilhelm, HackingDojo.com

"Overall, this book follows a logical progression and makes good use of heading and subheadings so that the material is easy to follow; diagrams are included where helpful. Boxouts are also used to good effect - you'll find Alerts for points you need to pay attention to and More Advanced for ones you can skip. The boxouts used towards the end of each chapter for ‘Real World’ topics allow the author to break out of textbook style and relate the material to a wider context. The chapters then conclude with a Summary followed by Exercises - a list of questions that serve as a check that you have understood the main points covered. No answers are provided so if you are stumped use the index or re-read before moving on. This book is aimed at beginners and is equally suitable as a course text or for self-study. The developer should, of course, have a working knowledge of the topics it covers and this is a good place to start if you need an overview of the basics."— Alex Armstrong, i-Programmer.com

Read More Show Less

Product Details

  • ISBN-13: 9781597496537
  • Publisher: Elsevier Science
  • Publication date: 6/24/2011
  • Pages: 208
  • Sales rank: 323,820
  • Product dimensions: 7.50 (w) x 9.20 (h) x 0.60 (d)

Meet the Author

Jason Andress (ISSAP, CISSP, GPEN, CEH) is a seasoned security professional with a depth of experience in both the academic and business worlds. He is presently employed by a major software company, providing global information security oversight, and performing penetration testing, risk assessment, and compliance functions to ensure that the company's assets are protected. Jason has taught undergraduate and graduate security courses since 2005 and holds a Doctorate in Computer Science, researching in the area of data protection. He has authored several publications and books, writing on topics including data security, network security, penetration testing, and digital forensics.
Read More Show Less

Read an Excerpt

The Basics of Information Security

Understanding the Fundamentals of InfoSec in Theory and Practice
By Jason Andress

SYNGRESS

Copyright © 2011 Elsevier Inc.
All right reserved.

ISBN: 978-1-59749-654-4


Chapter One

What is Information Security?

Information in This Chapter:

* What is Security?

* Models for Discussing Security Issues

* Attacks

* Defense in Depth

INTRODUCTION

Information security is a concept that becomes ever more enmeshed in many aspects of our society, largely as a result of our nearly ubiquitous adoption of computing technology. In our everyday lives, many of us work with computers for our employers, play on computers at home, go to school online, buy goods from merchants on the Internet, take our laptops to the coffee shop and check our e-mail, carry our smartphones on our hips and use them to check our bank balances, track our exercise with sensors in our shoes, and so on, ad infinitum.

Although this technology enables us to be more productive and allows us to access a host of information with only a click of the mouse, it also carries with it a host of security issues. If the information on the systems used by our employers or our banks becomes exposed to an attacker, the consequences can be dire indeed. We could suddenly find ourselves bereft of funds, as the contents of our bank account are transferred to a bank in another country in the middle of the night. Our employer could lose millions of dollars, face legal prosecution, and suffer damage to its reputation because of a system configuration issue allowing an attacker to gain access to a database containing personally identifiable information (PII) or proprietary information. We see such issues appear in the media with disturbing regularity.

If we look back 30 years, such issues related to computer systems were nearly nonexistent, largely due to the low level of technology and the few people who were using what was in place. Although technology changes at an increasingly rapid rate, and specific implementations arise on a seemingly daily basis, much of the theory that discusses how we go about keeping ourselves secure changes at a much slower pace and does not always keep up with the changes to our technology. If we can gain a good understanding of the basics of information security, we are on a strong footing to cope with changes as they come along.

WHAT IS SECURITY?

Information security is defined as "protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction," according to U.S. law. In essence, it means we want to protect our data and our systems from those who would seek to misuse it.

In a general sense, security means protecting our assets. This may mean protecting them from attackers invading our networks, natural disasters, adverse environmental conditions, power failures, theft or vandalism, or other undesirable states. Ultimately, we will attempt to secure ourselves against the most likely forms of attack, to the best extent we reasonably can, given our environment.

When we look at what exactly it is that we secure, we may have a broad range of potential assets. We can consider physical items that we might want to secure, such as those of inherent value (e.g., gold bullion) or those that have value to our business (e.g., computing hardware). We may also have items of a more ethereal nature, such as software, source code, or data. In today's computing environment, we are likely to find that our logical assets are at least as valuable as, if not more than, our physical assets. Additionally, we must also protect the people who are involved in our operations. People are our single most valuable asset, as we cannot generally conduct business without them. We duplicate our physical and logical assets and keep backup copies of them elsewhere against catastrophe occurring, but without the skilled people to operate and maintain our environments, we will swiftly fail.

In our efforts to secure our assets, we must also consider the consequences of the security we choose to implement. There is a well-known quote that says, "The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards—and even then I have my doubts". Although we could certainly say that a system in such a state could be considered reasonably secure, it is surely not usable or productive. As we increase the level of security, we usually decrease the level of productivity. With the system mentioned in our quote, the level of security would be very high, but the level of productivity would be very near zero.

Additionally, when securing an asset, system, or environment, we must also consider how the level of security relates to the value of the item being secured. We can, if we are willing to accommodate the decrease in performance, apply very high levels of security to every asset for which we are responsible. We can build a billion-dollar facility surrounded by razor wire fences and patrolled by armed guards and vicious attack dogs, and carefully place our asset in a hermetically sealed vault inside ... so that mom's chocolate chip cookie recipe will never come to harm, but that would not make much sense. In some environments, however, such security measures might not be enough. In any environment where we plan to put heightened levels of security in place, we also need to take into account the cost of replacing our assets if we do happen to lose them, and make sure we establish reasonable levels of protection for their value. The cost of the security we put in place should never outstrip the value of what it is protecting.

When Are We Secure?

Defining the exact point at which we can be considered secure presents a bit of a challenge. Are we secure if our systems are properly patched? Are we secure if we use strong passwords? Are we secure if we are disconnected from the Internet entirely? From a certain point of view, all of these questions can be answered with a "no."

Even if our systems are properly patched, there will always be new attacks to which we are vulnerable. When strong passwords are in use, there will be other avenues that an attacker can exploit. When we are disconnected from the Internet, our systems can be physically accessed or stolen. In short, it is very difficult to define when we are truly secure. We can, however, turn the question around.

Defining when we are insecure is a much easier task, and we can quickly list a number of items that would put us in this state:

* Not patching our systems

* Using weak passwords such as "password" or "1234"

* Downloading programs from the Internet

* Opening e-mail attachments from unknown senders

* Using wireless networks without encryption

We could go on for some time creating such a list. The good thing is that once we are able to point out the areas in an environment that can cause it to be insecure, we can take steps to mitigate these issues. This problem is akin to cutting something in half over and over; there will always be some small portion left to cut again. Although we may never get to a state that we can definitively call "secure," we can take steps in the right direction.

Some bodies of law or regulations do make an attempt to define what secure is, or at least some of the steps we should take to be "secure enough." We have the Payment Card Industry Data Security Standard (PCI DSS) for companies that process credit card payments, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for organizations that handle health care and patient records, the Federal Information Security Management Act (FISMA) that defines security standards for many federal agencies in the United States, and a host of others. Whether these standards are effective or not is the source of much discussion, but following the security standards defined for the industry in which we are operating is generally considered to be advisable, if not mandated.

MODELS FOR DISCUSSING SECURITY ISSUES

When we discuss security issues, it is often helpful to have a model that we can use as a foundation or a baseline. This gives us a consistent set of terminology and concepts that we, as security professionals, can refer to when security issues arise.

The Confidentiality, Integrity, and Availability Triad

Three of the primary concepts in information security are confidentiality, integrity, and availability, commonly known as the confidentiality, integrity, and availability (CIA) triad, as shown in Figure 1.1. The CIA triad gives us a model by which we can think about and discuss security concepts, and tends to be very focused on security, as it pertains to data.

CONFIDENTIALITY

Confidentiality is a concept similar to, but not the same as, privacy. Confidentiality is a necessary component of privacy and refers to our ability to protect our data from those who are not authorized to view it. Confidentiality is a concept that may be implemented at many levels of a process.

As an example, if we consider the case of a person withdrawing money from an ATM, the person in question will likely seek to maintain the confidentiality of the personal identification number (PIN) that allows him, in combination with his ATM card, to draw funds from the ATM. Additionally, the owner of the ATM will hopefully maintain the confidentiality of the account number, balance, and any other information needed to communicate to the bank from which the funds are being drawn. The bank will maintain the confidentiality of the transaction with the ATM and the balance change in the account after the funds have been withdrawn. If at any point in the transaction confidentiality is compromised, the results could be bad for the individual, the owner of the ATM, and the bank, potentially resulting in what is known in the information security field as a breach.

Confidentiality can be compromised by the loss of a laptop containing data, a person looking over our shoulder while we type a password, an e-mail attachment being sent to the wrong person, an attacker penetrating our systems, or similar issues.

INTEGRITY

Integrity refers to the ability to prevent our data from being changed in an unauthorized or undesirable manner. This could mean the unauthorized change or deletion of our data or portions of our data, or it could mean an authorized, but undesirable, change or deletion of our data. To maintain integrity, we not only need to have the means to prevent unauthorized changes to our data but also need the ability to reverse authorized changes that need to be undone.

We can see a good example of mechanisms that allow us to control integrity in the file systems of many modern operating systems such as Windows and Linux. For purposes of preventing unauthorized changes, such systems often implement permissions that restrict what actions an unauthorized user can perform on a given file. Additionally, some such systems, and many applications, such as databases, can allow us to undo or roll back changes that are undesirable.

Integrity is particularly important when we are discussing the data that provides the foundation for other decisions. If an attacker were to alter the data that contained the results of medical tests, we might see the wrong treatment prescribed, potentially resulting in the death of the patient.

AVAILABILITY

The final leg of the CIA triad is availability. Availability refers to the ability to access our data when we need it. Loss of availability can refer to a wide variety of breaks anywhere in the chain that allows us access to our data. Such issues can result from power loss, operating system or application problems, network attacks, compromise of a system, or other problems. When such issues are caused by an outside party, such as an attacker, they are commonly referred to as a denial of service (DoS) attack.

RELATING THE CIA TRIAD TO SECURITY

Given the elements of the CIA triad, we can begin to discuss security issues in a very specific fashion. As an example, we can look at a shipment of backup tapes on which we have the only existing, but unencrypted, copy of some of our sensitive data stored. If we were to lose the shipment in transit, we will have a security issue. From a confidentiality standpoint, we are likely to have a problem since our files were not encrypted. From an integrity standpoint, presuming that we were able to recover the tapes, we again have an issue due to the lack of encryption used on our files. If we recover the tapes and the unencrypted files were altered, this would not be immediately apparent to us. As for availability, we have an issue unless the tapes are recovered since we do not have a backup copy of the files.

Although we can describe the situation in this example with relative accuracy using the CIA triad, we might find that the model is more restrictive than what we need in order to describe the entire situation. An alternative model does exist that is somewhat more extensive.

(Continues...)



Excerpted from The Basics of Information Security by Jason Andress Copyright © 2011 by Elsevier Inc.. Excerpted by permission of SYNGRESS. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Read More Show Less

Table of Contents

Chapter 1. What is Information Security? Chapter 2. Identification and Authentication Chapter 3. Authorization and Access control Chapter 4. Auditing and Accountability Chapter 5. Cryptography Chapter 6. Operations security Chapter 7. Physical security Chapter 8. Network security Chapter 9. Operating System security Chapter 10. Application security

Read More Show Less

Customer Reviews

Average Rating 4.5
( 3 )
Rating Distribution

5 Star

(2)

4 Star

(1)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing all of 3 Customer Reviews
  • Anonymous

    Posted January 10, 2013

    Great Place to start

    If you are looking at getting started in InfoSec, this is a great book to get your feet wet. It gives you a broad enought overview to give the reader a basic understanding of what they are going to need to do to be successfully in information security.

    Was this review helpful? Yes  No   Report this review
  • Posted September 12, 2011

    VERY VERY HIGHLY RECOMMENDED!!

    Are you a beginning security professional; as well as, a network and system administrator? If you are, then this book is for you! Author Jason Andress, has done an outstanding job of writing a book that can be used to develop a better understanding of how to protect information assets and defend against attacks; as well as, how to apply these concepts practically. Andress, begins by covering some of the most basic concepts of information security. In addition, the author covers the security principles of identification and authentication. He then discusses the use of authorization and access control. The author then, discusses the use of auditing and accountability. He continues by discussing the use of cryptography. In addition, the author covers operational security. He then discusses physical security. The author then shows you how to protect networks from a variety of different angles. Then, he explores hardening as one of the primary tools for securing the operating system and the steps that might be taken to do so. Finally, he shows you different ways in which to secure applications. This most excellent book, provides the reader with a basic knowledge of information security in both theoretical and practical aspects. Perhaps more importantly, the concepts discussed in this book can be used to drive security projects and policies, in order to mitigate some of the issues discussed.

    Was this review helpful? Yes  No   Report this review
  • Posted August 25, 2011

    Informative & brief.

    Great yet brief coverage of all relevant topics within the information security field. Also gives you interesting historical facts like how cryptography began, origin of malware, the first computer "bug", etc. If you are new to the field and/or if (like me) you're looking for something to review the concepts, this book is a great choice.

    Was this review helpful? Yes  No   Report this review
Sort by: Showing all of 3 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)