Introduction

Information security: a well-informed sense of assurance that the information risks and controls are in balance. Jim Anderson, Inovant (2002)

What is Security?
The quality or state of being secureto be free from danger A successful organization should have multiple layers of security in place:
Physical security Personal security Operations security Communications security Network security Information security

What is Information Security?

The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information Necessary tools: policy, awareness, training, education, technology

C.I.A TRIANGLE

Information Security Conceptual Architecture

MACHINE INFECTED?
ACTION PLAN: 1) Write down the error or alert message verbatim inform your tech support team quarantine the machine 2) Look up the message in an authoritative anti-virus site (demo) diagnose the problem take recommended remedial action

If appropriate: Download, install, run the anti-virus removal tool (demo)

Apply all missing critical security patches (demo)

3) Reboot the machine Run a full system scan before placing the machine back in service

NOTE #1
Search engines are NOT reliable sources of virus information

Information may be inaccurate, incomplete or out of date

Search engines generate huge numbers of indiscriminate hits

Some anti-virus Web sites are scams (or contain trojan Horses) Go directly to authoritative anti-virus sites

NOTE #2
Computer companies are NOT reliable sources of virus information
Computer companies:

Usually refer you to an anti-virus vendor are not in the anti-virus business themselves are victims!

Ethics Overview
Ethics is about how we ought to live*
The purpose of Ethics in Information Security is not just philosophically important, it can mean the survival of a business or an industry**

Ethics is doing the right thing, even when no one is looking

ISSA International Ethics Committee

Founded in 2002 15 active members Purpose: Provide guidance on ethical behavior for Information System Security professionals, develop and maintain guidelines for ethics relating to Information Security practices.

Proactive Promotion and Education to Influence Positive Behavior

Ten Commandments of Ethics in Information Security

Thou shalt not use a computer to harm other people. Thou shalt not interfere with other people's computer work. Thou shalt not snoop around in other people's computer files. Thou shalt not use a computer to steal. Thou shalt not use a computer to bear false witness. Thou shalt not copy or use proprietary software for which you have not paid. Thou shalt not use other people's computer resources without authorization or proper compensation. Thou shalt not appropriate other people's intellectual output.

Thou shalt think about the social consequences of the program you are writing or the system you are designing.
Thou shalt always use a computer in ways that insure consideration and respect for your fellow humans.
-Courtesy of the Computer Ethics Institute, A project of the Brookings Institution

Authoritative Anti-Virus Organizations

www.cert.org (Computer Emergency Response Team-CMU)

www.ciac.org/ciac (CIAC-Department of Energy)

www.sans.org/aboutsans.php (Server and Network Security) www.first.org (Forum of Incident Response and Security Teams) www.cirt.rutgers.edu (Computing Incident Response Team-Rutgers)