INTRODUCTION TO INFORMATION SECURITY:

Information is a valuable asset like any other asset. So, information needs to be
secured from attacks. Now the question is what is security?

Security is

• Freedom from risk or danger; safety.

• Freedom from doubt, anxiety, or fear;
• confidence

Why do we need security?

• Protect vital information while still allowing access to those who need it. Eg.
Medical records, Trade secrets etc
• Provide authentication and access control for resources
• Guarantee availability of resources
• To prevent theft of or damage to the hardware
• To prevent theft of or damage to the information
• To prevent disruption of service

In short to secure information, three security goals must be achieved

• Confidentiality: Means information needs to be hidden from unauthorized

access.
• Integrity: Means information protected from unauthorized change.
• Availability: Means information available to an authorized entity when it
is needed.

In early days, the information collected by an organization was stored on physical

files. The confidentiality of the files was achieved by restricting the access to only
trusted people in the organization. And also, only a few authorized people were
allowed to change the contents of the files. Availability was achieved by designating
at least one person who would have access to the files at all times.

With the invention of computers, information storage become electronic, means it was
stored in computers. The three security requirements, however, did not change. The
files stored in computers also require confidentiality, integrity and availability (CIA).
The implementation of these requirements, however is different and more challenging

During the last two decades, computer networks created a revolution in the use of
information. Information is now distributed. Authorized people can send and retrieve
information from a distance using computer networks. Although the three above
mentioned requirements confidentiality, integrity and availability have not changed,
they now have some new dimensions.
The term 'information security' means protecting information and information systems
from unauthorized access, use, disclosure, disruption, modification, or destruction in
order to provide integrity, confidentiality, and availability.

PRINCIPLES OF SECURITY

Now we classify the principles related to security, which help us understand the
attacks better and also help us to tackle the attacks. By taking one example will
understand these concepts.

Let us assume that a person A wants to send a check worth 10000 Rs. to another
person B. So, A will write the check for 10000 Rs, put it inside an envelope and send
it to B.

● A will like to ensure that no one except B gets the envelope and even if
someone else gets it, she does not come to know about the details of the check.
This is the principle of confidentiality

● A and B will further like to make sure that no one can tamper with the
contents of the check (such as its amount, date, signature, name of the payee,
etc.). This is the principle of integrity

● B would like to be assured that the check has indeed come from A and not
from someone else posing as A (as it could be a fake check in that case). This
is the principle of authentication.

• What will happen tomorrow if B deposits the check in his account, the money
is transferred from A’s account to B's account and then A refuses having
written/sent the check? The court of law will use A's signature to disallow A to
refuse this claim and settle the dispute. This is the principle of non-
repudiation.

These are the four chief principles of security. There are two more, access control and
availability, which are not related to a particular message, but are linked to the overall
system as a whole.

• Access control: Access control specifies and control who can access what.
• Availability:
It means that assets are accessible to authorized parties at appropriate times.

Examples of Security Requirements

• Confidentiality – student grades

 • Integrity – patient information
• Availability – authentication service
• Authenticity – admission ticket
• Non-Repudiation – stock sell order

ATTACKS

Security attack is an action that compromises the security of information owned by an

organization. Network security attacks are unauthorized actions against private,
corporate or governmental IT assets in order to destroy, modify or steal sensitive data.

Fig. Normal flow

Security attacks are classified into four general categories:

Interruption

This is an attack on availability. An asset of the system is destroyed or becomes

unavailable. Eg: cutting of a communication line, disabling of the file management
system, destruction of piece of hardware.

Fig. Interruption

Interception

This is an attack on confidentiality. An unauthorized party gain access to an asset. Ex:

wire tapping to capture data in a network, illicit copying of files.
 Fig. 1 Interception

Modification

This is an attack on integrity. An unauthorized party not only gains access but tampers
with an asset. Ex: changing values in data file, altering a program, modifying the
contents of messages being transmitted in a network.

Fig. Modification

Fabrication:

This is an attack on authenticity. An unauthorized party inserts counterfeit objects into

the system. Ex: the insertion of spurious messages in a network or the addition of
records to a file
 Fig. fabrication

Security attacks are classified into two:

1. Passive attacks
2. Passive attacks

a. Passive attacks

A passive attack attempts to learn or make use of information from the system but
does not affect system resources. In a passive attack, the attacker’s goal is just to
obtain information. The attack does not modify data or harm the system, and the
system continues with its normal operation. Example of attack threatening to
confidentiality is Release of message contents and traffic analysis

Passive attacks are of two types:

1. Release of message contents: A telephonic conversation, an email message and a

transferred file may contain sensitive or confidential information; we would like to
prevent an opponent from learning the content of these transmissions.

Fig release of message contents

2. Traffic analysis: In traffic analysis attack opponents will observe the pattern of
messages from sender to receiver.

Fig. Traffic analysis

Passive attacks are very difficult to detect because they do not involve any alteration
of data. However, it is feasible to prevent the success of these attacks.

b. Active attacks

An active attack attempts to alter system resources or affect their operation. An active
attack may change the data or harm the system. Example of attack threatening to
integrity is masquerading, replaying, modification and Repudiation. Example of attack
threatening to availability is Denial of Service (DoS).

Active attacks can be subdivided into five types:

1. Masquerade: It takes place when one entity claims to be a different entity. One of
the other forms of active attack is a masquerade attack. Figure depicts masquerade
attack where Darth sends message to Alice pretending to be Bob and Alice thinks that
message is from Bob. Alice is unaware that message is actually send by Darth.
 Fig masquerade

2. Replay: It involves the passive capture of a data unit and its

subsequent retransmission to produce an unauthorized effect.

For example consider Figure with scenario that Bob sends message to Alice to add
amount of Rs. 500/- to Darth’s account. Darth captures the message and replays after
few days. Alice assumes that this is new message from Bob and he adds amount to
Darth’s account.

Fig replay

3. Modification of message: It involves some portions of message is altered or the

messages are delayed or recorded, to produce an unauthorized effect.
For example, Bob sends message to Alice as “Allow John to access confidential file
X". In transmission the Darth intercept the message and change it for its own benefit
as “Allow Darth to access confidential X file."

Fig modification of message

4. Repudiation

Sender or receiver performs this attack. The sender or recipient might subsequently
deny sending or receiving a communication. The client, for instance, asks his bank
"To transfer the sum to someone" and, subsequently, refuses the sender (customer) to
make the request. This is disapproval. Figure represents Repudiation where Darth
denies previously sent message to Alice
 Fig repudiation

Denial of service (DoS): Fabrication causes denial of service attacks. Another form of
service denial is the disruption of an entire network, either by disabling the network or
by overloading it with messages so as to degrade performance.

As in Figure Darth saturates a server with an overwhelming number of packets,

resulting in denial-of-service attack and the server is unable to service the request of
genuine user (Bob). In order for most DoS flood attacks to be successful, the
malicious Darth must have more available bandwidth than the target
Fig denial of service

Comparative Points of Passive and Active Attack:

ACTIVE ATTACK PASSIVE ATTACK

Attacker merely needs to observe the
Attacker needs to have physical control of the
communication in the media or
media or network.
network.
It can be easily detected. It cannot be easily detected.
It affects the system. It does not affect the system.
It involves a modification of data. It involves the monitoring of data.
Types of active attacks are Masquerade,
Types of passive attacks are the
session replay, denial of service, distributed
Release of a message, traffic analysis.
denial of service.
It scans the ports and network in the
It does not check for loopholes or
search of loopholes and
vulnerabilities.
vulnerabilities.
It is difficult to prevent network from active
Passive attacks can be prevented.
attack.

Differentiate between threat and attack:

 THREAT ATTACK

Can be intentional or unintentional Is intentional

May or may not be malicious Is malicious

Circumstance that has the ability to

Objective is to cause damage
cause damage

Information may or may not be Chance for information alteration and

altered or damaged damage is very high

Comparatively hard to detect Comparatively easy to detect

Can be blocked by control of Cannot be blocked by just controlling

vulnerabilities the vulnerabilities

Can be initiated by the system itself Is always initiated by an outsider

as well as by outsider (system or user)

Can be classified into Physical Can be classified into Virus, Spyware,

threat, internal threat, Phishing, Worms, Spam,
external threat, human threat, and Botnets, DoS attacks, Ransomware,
non-physical threat. Breaches.

FUNCTIONAL REQUIREMENTS OF SECURITY

Functional requirements define the basic system behavior. Essentially, they are what
the system does or must not do, and can be thought of in terms of how the system
responds to inputs. Functional requirements usually define if/then behaviors and
include calculations, data input, and business processes.

Functional requirements are features that allow the system to function as it was
intended. Put another way, if the functional requirements are not met, the system will
not work. Functional requirements are product features and focus on user
requirements.
The functional requirements of security should be:

• Able to uniquely identify individual system users

• It must include two-factor authentication for system access
• It must include notification and user acknowledgment at the login
• It must manage passwords and password processing securely
• It should encrypt authentication and authorization mechanisms
• It must grant the minimum, sufficient access or privileges to the user
according to roles of users or their job duties
• Allow access to sensitive data only as necessary for users job duties
• User should log out or lock unattended workstations
• Users access should be revoked upon termination of appointments
• Owner should review accounts at least annually
• It should designate owners to manage privileged and shared accounts
• It should meet related regulatory and/or contractual obligations

Attack Surface:

The attack surface is the number of all possible points, or attack vectors, where an
unauthorized user can access a system and extract data. The smaller the attack surface,
the easier it is to protect.
Examples are

• Open ports on the web servers can be used to access sensitive

information.
• An employee with access to sensitive information is susceptible to social
engineering attacks.
• Services available inside the firewall system.
• Data processing code that processes incoming emails, XML documents, office
documents, and industry-specific custom data exchange formats
The attack surface is split into two categories: the digital and physical.
Digital Attack Surface

The digital attack surface area encompasses all the hardware and software that
connect to an organization’s network. These include applications, code, ports, servers,
and websites, as well as shadow it, which sees users bypass IT to use unauthorized
applications or devices.

Physical Attack Surface

The physical attack surface comprises all endpoint devices that an attacker can gain
physical access to, such as desktop computers, hard drives, laptops, mobile phones,
and Universal Serial Bus (USB) drives. The physical attack threat surface includes
carelessly discarded hardware that contains user data and login credentials, users
writing passwords on paper, and physical break-ins.

Organizations can protect the physical attack surface through access control and
surveillance around their physical locations. They also must implement and test
disaster recovery procedures and policies.
attack tree:
A branching, hierarchical data structure that represents a set of potential approaches to
achieving an event in which system security is penetrated or compromised in a
specified way.

Attack trees provide a formal, methodical way of describing the security of systems,
based on varying attacks.
Attack trees aim to build a structured and logical image of the cyber security risk to a
system from the perspective of possible successful attacks.
Eg:

Why use an attack tree:

Visualising cyber security risk in this way gives a clear understanding of where the
risk comes from, allowing you to identify security weaknesses and develop
mitigations for them.

Attack trees can also be used effectively in agile environments, where the tree can be
built alongside iterative development. Taking this approach means that cyber security
risks are considered as they are discovered and appropriate countermeasures can be
introduced.

Building attack trees:

• Identify the core issue.

 • Create the root node for the core issue.
• Identify the steps by which the attacker can achieve the core issue.
• Add these steps as nodes beneath the core issue.
• Repeat the process for each of the nodes you've just added.
• The tree is complete when each branch of the tree ends in a leaf node.

Information security Strategy:

Strategy:

- Strategy is basically a road map of specific actions to achieve the objective.

- Includes what should be done, how should be done, and when should be done
to achieve the objectives.

Information security strategy:

- Information security strategy is the set of actions to achieve the security

objectives.
- Prime objective of any security strategy is to support the business objectives.
Information security strategy should be aligned with business objectives.
- The first step for an information security manager in creating IS strategy is to
understand and evaluate business strategy. This is essential to align information
security plan with business strategy.
- And if security is not aligned with business, business may fall.
- Security policies are developed on the basis of security strategy.

IS Strategy and Plan:

1. What is the first step in developing IS plan?

To evaluate and understand business strategy.

2. What is the main objective of designing an IS strategy?

To support the business objectives and execute it.

Zero Trust framework:

Zero Trust security is an IT security model that requires strict identity verification for
every person and device trying to access resources on a private network, regardless of
whether they are sitting within or outside of the network perimeter.
ero Trust security means that no one is trusted by default from inside or outside the
network, and verification is required from everyone trying to gain access to resources
on the network.

Principle: 5 principle
1. Zero Trust Networks:
2. Zero Trust Workloads:
3. Zero Trust Data:
4. Zero Trust People:
5. Zero Trust Devices:

Assignment-1

1. Define computer security.

2. What is the difference between passive and active security threats?
3. List and briefly define categories of passive and active network security
attacks.
4. List and briefly define the fundamental security design principles.
5. Explain the difference between an attack surface and an attack tree.
6. What is security threat and attack? Describe different types of attacks in brief.
7. Consider an automated teller machine (ATM) in which users provide a
personal identification number (PIN) and a card for account access. Give
examples of confidentiality, integrity, and availability requirements associated
with the system and, in each case, indicate the degree of importance of the
requirement.