Unit-I Subject: Information Security

UNIT-I
Syllabus:
Introduction: History, critical characteristics of information, NSTISSC security
model, Components of an information system, Securing the components,
balancing security, and access, The SDLC, The security SDLC
Need for Security: Business needs, Threats, Attacks, Secure software
development

Objective:
Outcome: Describe the steps in Security Systems development life cycle
(SecSDLC) and understand the common threats and attack to information
systems
HISTORY
Julius Caesar-Caesar Cipher c50 B.C., which was created in order to prevent
his secret messages from being, read should a message fall into the wrong hands.
The end of the 20th century and early years of the 21st century saw rapid
advancements in telecommunications, computing hardware and software, and data
encryption.

Introduction

Information technology is the vehicle that stores and transports information—a

company’s most valuable resource—from one business unit to another. But what
happens if the vehicle breaks down, even for a little while? As businesses have become
more fluid, the concept of computer security has been replaced by the concept of
information security.

Because this new concept covers a broader range of issues, from the protection of
data to the protection of human resources, information security is no longer the sole
responsibility of a discrete group of people in the company; rather, it is the
responsibility of every employee, and especially managers.

Organizations must realize that information security funding and planning decisions
involve more than just technical managers: Rather, the process should involve three
distinct groups of decision makers, or communities of interest:

➢ Information security managers and professionals

➢ Information technology managers and professionals
➢ Nontechnical business managers and professionals These communities of
interest fulfill the following roles:
➢ The information security community protects the organization’s information
assets from the many threats they face.

Dept. of CSE, MEC 2022-2023

Unit-I Subject: Information Security

➢ The information technology community supports the business objectives of

the organization by supplying and supporting information technology
appropriate to the business’ needs.
➢ The nontechnical general business community articulates and communicates
organizational policy and objectives and allocates resources to the other
groups.

WHAT IS SECURITY?
Understanding the technical aspects of information security requires that you know
the definitions of certain information technology terms and concepts. In general,
security is defined as “the quality or state of being secure—to be free from danger.”
Security is often achieved by means of several strategies usually undertaken
simultaneously or used in combination with one another.

Specialized areas of security

➢ Physical security, which encompasses strategies to protect people, physical
assets, and the workplace from various threats including fire, unauthorized
access, or natural disasters
➢ Personal security, which overlaps with physical security in the protection of the
people within the organization
➢ Operations security, which focuses on securing the organization’s ability to
carry out its operational activities without interruption or compromise
➢ Communications security, which encompasses the protection of an
organization’s communications media, technology, and content, and its ability
to use these tools to achieve the organization’s objectives
➢ Network security, which addresses the protection of an organization’s data
networking devices, connections, and contents, and the ability to use that
network to accomplish the organization’s data communication functions
➢ Information security includes the broad areas of information security
management, computer and data security, and network security.

Where it has been used?

➢ Governments, military, financial institutions, hospitals, and private
businesses.
➢ Protecting confidential information is a business requirement.

Information Security components:

➢ Confidentiality
➢ Integrity
➢ Availability(CIA)

CIA Triangle
The C.I.A. triangle - confidentiality, integrity, and availability - has expanded into a
more comprehensive list of critical characteristics of information. At the heart of the

Dept. of CSE, MEC 2022-2023

Unit-I Subject: Information Security

study of information security is the concept of policy. Policy, awareness, training,

education, and technology are vital concepts for the protection of information and for
keeping information systems from danger.

Components of Information Security

Critical Characteristics of Information
❖ Confidentiality
❖ Integrity
❖ Availability
➢ Privacy
➢ Identification
➢ Authentication
➢ Authorization
➢ Accountability
❖ Accuracy
➢ Utility
➢ Possession
Confidentiality: It ensures that only those with sufficient privileges may access
certain information. When unauthorized individuals or systems can access
information, confidentiality is breached. To protect the confidentiality of information,
a number of measures are used:
➢ Information classification
➢ Secure document storage
➢ Application of general security policies
➢ Education of information custodians and end users Example, a credit card
transaction on the Internet.
➢ The system attempts to enforce confidentiality by encrypting the card number
during transmission, by limiting the places where it might appear (in data

Dept. of CSE, MEC 2022-2023

Unit-I Subject: Information Security

bases, log files, backups, printed receipts, and so on), and by restricting access
to the places where it is stored.
➢ Giving out confidential information over the telephone is a breach of
confidentiality if the caller is not authorized to have the information, it could
result in a breach of confidentiality.
Integrity: It is the quality or state of being whole, complete, and uncorrupted. The
integrity of information is threatened when it is exposed to corruption, damage,
destruction, or other disruption of its authentic state. Corruption can occur while
information is being compiled, stored, or transmitted.
➢ Integrity means that data cannot be modified without authorization.
➢ Eg: Integrity is violated when an employee deletes important data files, when a
computer virus infects a computer, when an employee is able to modify his own
salary in a payroll database, when an unauthorized user vandalizes a website,
when someone is able to cast a very large number of votes in an online poll,
and so on.

Availability: It is the characteristic of information that enables user access to

information without interference or obstruction and in a required format. A user in
this definition may be either a person or another computer system. Availability does
not imply that the information is accessible to any user; rather, it means availability
to authorized users.
➢ For any information system to serve its purpose, the information must be
available when it is needed.
➢ Eg: High availability systems aim to remain available at all times, preventing
service disruptions due to power outages, hardware failures, and system
upgrades.
Privacy: The information that is collected, used, and stored by an organization is to
be used only for the purposes stated to the data owner at the time it was collected.
This definition of privacy does focus on freedom from observation (the meaning
usually associated with the word), but rather means that information will be used
only in ways known to the person providing it.
Identification: An information system possesses the characteristic of identification
when it is able to recognize individual users. Identification and authentication are
essential to establishing the level of access or authorization that an individual is
granted.
Authentication: It occurs when a control provides proof that a user possesses the
identity that he or she claims.
➢ In computing, e-Business and information security it is necessary to ensure
that the data, transactions, communications or documents(electronic or
physical) are genuine(i.e. they have not been forged or fabricated)
Authorization: After the identity of a user is authenticated, a process called
authorization provides assurance that the user (whether a person or a computer) has
been specifically and explicitly authorized by the proper authority to access, update,
or delete the contents of an information asset.

Dept. of CSE, MEC 2022-2023

Unit-I Subject: Information Security

Accountability: The characteristic of accountability exists when a control provides

assurance that every activity undertaken can be attributed to a named person or
automated process. For example, audit logs that track user activity on an information
system provide accountability.
Accuracy: Information should have accuracy. Information has accuracy when it is
free from mistakes or errors, and it has the value that the end users’ interest. If
information contains a value different from the user’s expectations, due to the
intentional or unintentional modification of its content, it is no longer accurate.
Utility: Information has value when it serves a particular purpose. This means that
if information is available, but not in a format meaningful to the end user, it is not
useful. Thus, the value of information depends on its utility.
Possession: The possession of Information security is the quality or state of having
ownership or control of some object or item.

NSTISSC Security Model

‘National Security Telecommunications & Information systems security committee’
document. It is now called the National Training Standard for Information security
professionals. The NSTISSC Security Model provides a more detailed perspective on
security.

While the NSTISSC model covers the three dimensions of information security, it
omits discussion of detailed guidelines and policies that direct the implementation of
controls.
Another weakness of using this model with too limited an approach is to view it from
a single perspective.
➢ The 3 dimensions of each axis become a 3x3x3 cube with 27 cells representing
areas that must be addressed to secure today’s Information systems.
➢ To ensure system security, each of the 27 cells must be properly addressed
during the security process.
➢ For example, the intersection between technology, Integrity & storage areas
requires a control or safeguard that addresses the need to use technology to
protect the Integrity of information while in storage.

Dept. of CSE, MEC 2022-2023

Unit-I Subject: Information Security

Components of an Information System

❖ Software
❖ Hardware
❖ Data
❖ People
❖ Procedures
❖ Networks

Software
➢ The software components of IS comprises applications, operating systems, and
assorted command utilities.
➢ Software programs are the vessels that carry the lifeblood of information
through an organization. These are often created under the demanding
constraints of project management, which limit time, cost, and manpower.
Hardware
➢ Hardware is the physical technology that houses and executes the software,
stores, and carries the data, and provides interfaces for the entry and removal
of information from the system.
➢ Physical security policies deal with hardware as a physical asset and with the
protection of these physical assets from harm or theft. Applying the traditional
tools of physical security, such as locks and keys, restricts access to and
interaction with the hardware components of an information system.
➢ Securing the physical location of computers and the computers themselves is
important because a breach of physical security can result in a loss of
information. Unfortunately, most information systems are built on hardware
platforms that cannot guarantee any level of information security if
unrestricted access to the hardware is possible.
Data
➢ Data stored, processed, and transmitted through a computer system must be
protected.
➢ Data is often the most valuable asset possessed by an organization and is the
main target of intentional attacks.
➢ The raw, unorganized, discrete(separate, isolated) potentially useful facts and
figures that are later processed(manipulated) to produce information.

People
There are many roles for people in information systems. Common ones include
➢ Systems Analyst
➢ Programmer
➢ Technician
➢ Engineer
➢ Network Manager
➢ MIS ( Manager of Information Systems )
➢ Data entry operator

Dept. of CSE, MEC 2022-2023

Unit-I Subject: Information Security

Procedures
➢ A procedure is a series of documented actions taken to achieve something. A
procedure is more than a single simple task. A procedure can be quite complex
and involved, such as performing a backup, shutting down a system, patching
software.
Networks
➢ When information systems are connected to each other to form Local Area
Network (LANs), and these LANs are connected to other networks such as the
Internet, new security challenges rapidly emerge Steps to provide network
security are essential, as is the implementation of alarm and intrusion systems
to make system owners aware of ongoing compromises.

Securing Components
Protecting the components from potential misuse and abuse by unauthorized users.
➢ Subject of an attack
o Computer is used as an active tool to conduct the attack.
➢ Object of an attack
o Computer itself is the entity being attacked

Two types of attacks

1. Direct attack
2. Indirect attack
1. Direct attack
When a Hacker uses his personal computer to break into a system. [Originate from
the threat itself]
2. Indirect attack
When a system is compromised and used to attack other system. [Originate from a
system or resource that itself has been attacked and is malfunctioning or working
under the control of a threat].
A computer can, therefore, be both the subject and object of an attack when ,for
example, it is first the object of an attack and then compromised and used to attack
other systems, at which point it becomes the subject of an attack.

Balancing Information Security and Access

➢ Has to provide the security and is also feasible to access the information for its
application.
➢ Information Security cannot be an absolute: it is a process, not a goal.
➢ Should balance protection and availability.

Approaches to Information Security Implementation

➢ Bottom- up- approach.
➢ Top-down-approach
➢ Has higher probability of success.

Dept. of CSE, MEC 2022-2023

Unit-I Subject: Information Security

➢ Project is initiated by upper level managers who issue policy & procedures &
processes.
➢ Dictate the goals & expected outcomes of the project.
➢ Determine who is suitable for each of the required action.

The Systems Development Life Cycle (SDLC)

SDLC Waterfall Methodology: SDLC-is a methodology for the design and

implementation of an information system in an organization.
➢ A methodology is a formal approach to solving a problem based on a structured
sequence of procedures.
➢ SDLC consists of 6 phases.

Systems Development Life Cycle

Investigation
➢ It is the most important phase and it begins with an examination of the event
or plan that initiates the process.
➢ During this phase, the objectives, constraints, and scope of the project are
specified.
➢ At the conclusion of this phase, a feasibility analysis is performed, which
assesses the economic, technical and behavioral feasibilities of the process
and ensures that implementation is worth the organization’s time and effort.

Analysis
➢ It begins with the information gained during the investigation phase.

Dept. of CSE, MEC 2022-2023

Unit-I Subject: Information Security

➢ It consists of assessments (quality) of the organization, the status of current

systems, and the capability to support the proposed systems.
➢ Analysts begin by determining what the new system is expected to do, and
how it will interact with existing systems.
➢ This phase ends with the documentation of the findings and an update of the
feasibility analysis.

Logical Design
➢ In this phase, the information gained from the analysis phase is used to begin
creating a systems solution for a business problem.
➢ Based on the business need, applications are selected that are capable of
providing needed services.
➢ Based on the applications needed, data support and structures capable of
providing the needed inputs are then chosen.
➢ In this phase, analysts generate a number of alternative solutions, each with
corresponding strengths and weaknesses, and costs and benefits.
➢ At the end of this phase, another feasibility analysis is performed.

Physical design
➢ In this phase, specific technologies are selected to support the solutions
developed in the logical design.
➢ The selected components are evaluated based on a make-or-buy decision.
➢ Final design integrate various components and technologies.

Implementation
➢ In this phase, any needed software is created.
➢ Components are ordered, received and tested.
➢ Afterwards, users are trained and supporting documentation created.
➢ Once all the components are tested individually, they are installed and tested
as a system.
➢ Again a feasibility analysis is prepared, and the sponsors are then presented
with the system for a performance review and acceptance test.

Maintenance and change

➢ It is the longest and most expensive phase of the process.
➢ It consists of the tasks necessary to support and modify the system for the
remainder of its useful life cycle.
➢ Periodically, the system is tested for compliance, with business needs.
➢ Upgrades, updates, and patches are managed.
➢ As the needs of the organization change, the systems that support the
organization must also change.
➢ When a current system can no longer support the organization, the project is
terminated and a new project is implemented.

Dept. of CSE, MEC 2022-2023

Unit-I Subject: Information Security

The Security Systems Development Life Cycle (SEC SDLC )

The same phases used in the traditional SDLC can be adapted to support the
implementation of an information security project.

Sec SDLC phases Investigation

➢ This phase begins with a directive from upper management, dictating the
process, outcomes, and goals of the project, as well as its budget and other
constraints.
➢ Frequently, this phase begins with an enterprise information security policy,
which outlines the implementation of a security program within the
organization.
➢ Teams of responsible managers, employees, and contractors are organized.
➢ Problems are analyzed.
➢ Scope of the project, as well as specific goals and objectives, and any additional
constraints not covered in the program policy, are defined.
➢ Finally, an organizational feasibility analysis is performed to determine whether
the organization has the resources and commitment necessary to conduct a
successful security analysis and design.

Analysis
➢ In this phase, the documents from the investigation phase are studied.
➢ The developed team conducts a preliminary analysis of existing security policies
or programs, along with that of documented current threats and associated
controls.
➢ The risk management task also begins in this phase.

Risk management is the process of identifying, assessing, and evaluating the levels
of risk facing the organization, specifically the threats to the organization’s security
and to the information stored and processed by the organization.

Logical design
➢ This phase creates and develops the blueprints for information security, and
examines and implements key policies.
➢ The team plans the incident response actions.
➢ Plans business response to disaster.
➢ Determines feasibility of continuing and outsourcing the project.

Physical design
➢ In this phase, the information security technology needed to support the
blueprint outlined in the logical design is evaluated.
➢ Alternative solutions are generated.
➢ Designs for physical security measures to support the proposed technological
solutions are created.

Dept. of CSE, MEC 2022-2023

Unit-I Subject: Information Security

➢ At the end of this phase, a feasibility study should determine the readiness of
the organization for the proposed project.
➢ At this phase, all parties involved have a chance to approve the project before
implementation begins.

Implementation
➢ Similar to traditional SDLC
➢ The security solutions are acquired ( made or bought ), tested, implemented,
and tested again
➢ Personnel issues are evaluated and specific training and education programs
are conducted.
➢ Finally, the entire tested package is presented to upper management for final
approval.

Maintenance and change

➢ Constant monitoring, testing, modification, updating, and repairing to meet
changing threats have been done in this phase.

Security Professionals and the organization Senior management

Chief information Officer (CIO) is the responsible for

➢ Assessment
➢ Management
➢ And implementation of information security in the organization

Information Security Project Team

➢ Champion
- Promotes the project
- Ensures its support, both financially & administratively.
➢ Team Leader
- Understands project management
- Personnel management
- And information Security technical requirements.
➢ Security policy developers
- individuals who understand the organizational culture,
- existing policies
- Requirements for developing & implementing successful policies.
➢ Risk assessment specialists
- Individuals who understand financial risk assessment techniques.
- The value of organizational assets,
- and the security methods to be used.
➢ Security Professionals
- Dedicated

Dept. of CSE, MEC 2022-2023

Unit-I Subject: Information Security

- Trained, and well educated specialists in all aspects of information security

from both a technical and non technical stand point.
➢ System Administrators
- Administrating the systems that house the information used by the
organization.
➢ End users

➢ Data Owner
- Responsible for the security and use of a particular set of information.
- Determine the level of data classification
- Work with subordinate managers to oversee the day-to-day administration of
the data.

➢ Data Custodians
- Responsible for the storage, maintenance, and protection of the information.
- Overseeing data storage and backups
- Implementing the specific procedures and policies.
➢ Data Users (End users)
- Work with the information to perform their daily jobs supporting the mission
of the organization.
- Everyone in the organization is responsible for the security of data, so data
users are included here as individuals with an information security role.

Key Terms in Information Security Terminology

➢ Asset
-An asset is the organizational resource that is being protected.
-An Asset can be logical ,such as Website, information, or data
-Asset can be physical, such as person , computer system
➢ Attack
-An attack is an intentional or unintentional attempt to cause damage to or
otherwise compromise the information and /or the systems that support it. If
someone casually reads sensitive information not intended for his use, this is
considered a passive attack. If a hacker attempts to break into an information
system, the attack is considered active.
➢ Risk
-Risk is the probability that something can happen. In information security, it
could be the probability of a threat to a system.
➢ Security Blueprint
-It is the plan for the implementation of new security measures in the
organization. Sometimes called a framework, the blueprint presents an
organized approach to the security planning process.
➢ Security Model
- A security model is a collection of specific security rules that represents the
implementation of a security policy.

Dept. of CSE, MEC 2022-2023

Unit-I Subject: Information Security

➢ Threats
-A threat is a category of objects, persons, or other entities that pose a potential
danger to an asset. Threats are always present. Some threats manifest
themselves in accidental occurrences, while others are purposeful. For
example, all hackers represent potential danger or threat to an unprotected
information system. Severe storms are also a threat to buildings and their
contents.
➢ Threat agent
-A threat agent is the specific instance or component of a threat. For example,
you can think of all hackers in the world as a collective threat, and Kevin
Mitnick, who was convicted for hacking into phone systems, as a specific threat
agent. Likewise, a specific lightning strike, hailstorm, or tornado is a threat
agent that is part of the threat of severe storms.
➢ Vulnerability
-Weaknesses or faults in a system or protection mechanism that expose
information to attack, or damage are known as vulnerabilities. Vulnerabilities
that have been examined, documented, and published are referred to as well-
known vulnerabilities.
➢ Exposure
-The exposure of an information system is a single instance when the system
is open to damage. Vulnerabilities can cause an exposure to potential damage
or attack from a threat. Total exposure is the degree to which an organization’s
assets are at risk of attack from a threat.

Need For Security

The purpose of information security management is to ensure business continuity

and reduce business damage by preventing and minimizing the impact of security
incidents. The Audit Commission Update report (1998) shows that fraud or cases of
IT abuse often occur due to the absence of basic controls, with one half of all detected
frauds found by accident. An Information Security Management System (ISMS)
enables information to be shared, whilst ensuring the protection of information and
computing assets.

At the most practical level, securing the information on your computer means:

➢ Ensuring that your information remains confidential and only those who
should access that information, can.

➢ Knowing that no one has been able to change your information, so you can
depend on its accuracy (information integrity).

➢ Making sure that your information is available when you need it (by making
back-up copies and, if appropriate, storing the back-up copies off-site).

Dept. of CSE, MEC 2022-2023

Unit-I Subject: Information Security

Business Needs First

Information security performs four important functions for an organization:
1.Protects the organization’s ability to function
2.Enables the safe operation of applications implemented on the organization’s IT
systems.
3.Protects the data the organization collects and uses.
4.Safeguards the technology assets in use at the organization.

1.Protecting the functionality of an organization

➢ Decision makers in organizations must set policy and operate their
organizations in compliance with the complex, shifting legislation that controls
the use of technology.

2.Enabling the safe operation of applications

➢ Organizations are under immense pressure to acquire and operate integrated,
efficient, and capable applications
➢ The modern organization needs to create an environment that safeguards
applications using the organization’s IT systems, particularly those
applications that serve as important elements of the infrastructure of the
organization.

3.Protecting data that organizations collect & use

➢ Protecting data in motion
➢ Protecting data at rest
➢ Both are critical aspects of information security.
➢ The value of data motivates attackers to seal, sabotage, or corrupt it.
➢ It is essential for the protection of integrity and value of the organization’s data

4.Safeguarding Technology assets in organizations

➢ Must add secure infrastructure services based on the size and scope of the
enterprise.
➢ Organizational growth could lead to the need for public key infrastructure, PKI,
an integrated system of software, encryption methodologies.

THREATS
To protect an organization’s information, you must
1. Know yourself: (i.e.) be familiar with the information to be protected, and the
systems that store, transport, and process it.
2. Know the threats you face: To make sound decisions about information security,
management must be informed about the various threats facing the organization, its
application, data, and information systems.

Definition: A threat is an object, person, or other entity, that represents a constant

danger to an asset.

Dept. of CSE, MEC 2022-2023

Unit-I Subject: Information Security

Threats to Information Security

Categories of threat Examples
Acts of human error or failure Accidents, employee mistakes
Compromises to intellectual property Piracy, copyright infringement
Deliberate acts of espionage or trespass Unauthorized access and/or/data collection
Deliberate acts of information extortion Blackmail or information disclosure
Deliberate acts of sabotage or vandalism Destruction of systems or information
Deliberate acts of theft Illegal confiscation of equipment or information
Deliberate software attacks Viruses, worms, macros, denial-of-service
Forces of nature Fire, flood, earthquake, lightning
Deviations in quality of service ISP, power ,or WAN service providers
Technical hardware failures or errors Equipment failure
Technical software failures or errors Bugs, code problems, unknown loopholes
Technological obsolescence Antiquated or outdated technologies
Threats
1. Acts of Human Error or Failure:
➢ Acts performed without intent or malicious purpose by an authorized user.
➢ Because of in experience ,improper training,
➢ Making of incorrect assumptions.
One of the greatest threats to an organization’s information security is the
organization’s own employees.
➢ Entry of erroneous data
➢ accidental deletion or modification of data
➢ storage of data in unprotected areas.
➢ Failure to protect information can be prevented with
-Training
-Ongoing awareness activities
-Verification by a second party
-Many military applications have robust, dual- approval controls built in .

2. Compromises to Intellectual Property

➢ Intellectual Property is defined as the ownership of ideas and control over the
tangible or virtual representation of those ideas.
➢ Intellectual property includes trade secrets, copyrights, trademarks, and
patents.
➢ Once intellectual property has been defined and properly identified, breaches
to IP constitute a threat to the security of this information.
➢ Organization purchases or leases the IP of other organizations.
➢ Most Common IP breach is the unlawful use or duplication of software based
intellectual property more commonly known as software Piracy.
➢ Software Piracy affects the world economy.

Dept. of CSE, MEC 2022-2023

Unit-I Subject: Information Security

➢ U.S provides approximately 80% of world’s software.

In addition to the laws surrounding software piracy, two watch dog organizations
investigate allegations of software abuse.

i. Software and Information Industry Association (SIIA)

(i.e)Software Publishers Association
ii. Business Software Alliance (BSA)

•Another effort to combat (take action against) piracy is the online registration
process.

3. Deliberate Acts of Espionage or Trespass

➢ Electronic and human activities that can breach the confidentiality of
information.
➢ When an unauthorized individual’s gain access to the information an
organization is trying to protect is categorized as act of espionage or trespass.
➢ Attackers can use many different methods to access the information stored in
an information system.
1. Competitive Intelligence[use web browser to get information from market
research]
2. Industrial espionage(spying)
3. Shoulder Surfing(ATM)

4. Trespass
➢ Can lead to unauthorized real or virtual actions that enable information
gatherers to enter premises or systems they have not been authorized to enter.
➢ Sound principles of authentication & authorization can help organizations
protect valuable information and systems.
➢ Hackers-> “People who use and create computer software to gain access to
information illegally”
➢ There are generally two skill levels among hackers.
➢ Expert Hackers-> Masters of several programming languages, networking
protocols, and operating systems.
➢ Unskilled Hackers

5. Deliberate Acts of information Extortion (obtain by force or threat)

➢ Possibility of an attacker or trusted insider stealing information from a
computer system and demanding compensation for its return or for an
agreement not to disclose the information.

6. Deliberate Acts of sabotage or Vandalism

➢ Destroy an asset or
➢ Damage the image of organization

Dept. of CSE, MEC 2022-2023

Unit-I Subject: Information Security

➢ Cyber terrorism-Cyber terrorists hack systems to conduct terrorist activities

through network or internet pathways.

7. Deliberate Acts of Theft

➢ Illegal taking of another’s property-- is a constant problem.
➢ Within an organization, property can be physical, electronic, or intellectual.
➢ Physical theft can be controlled by installation of alarm systems.
➢ Trained security professionals.
➢ Electronic theft control is under research.

8. Deliberate Software Attacks

➢ Because of malicious code or malicious software or sometimes malware.
➢ These software components are designed to damage, destroy or deny service to
the target system.
➢ More common instances are
➢ Virus, Worms, Trojan horses, Logic bombs, Backdoors.
➢ “The British Internet Service Provider Cloudnine” be the first business “hacked
out of existence”

9. Virus
➢ Segments of code that performs malicious actions.
➢ Virus transmission is at the opening of Email attachment files.
➢ Macro virus-> Embedded in automatically executing macrocode common in
word processors, spreadsheets and database applications.
➢ Boot Virus-> infects the key operating files located in the computer’s boot
sector.

10. Worms
➢ A worm is a malicious program that replicates itself constantly, without
requiring another program to provide a safe environment for replication.
➢ Worms can continue replicating themselves until they completely fill available
resources, such as memory, hard drive space, and network bandwidth.
o Eg: MS-Blaster, MyDoom, Netsky, are multifaceted attack worms.
➢ Once the worm has infected a computer , it can redistribute itself to all e-mail
addresses found on the infected system.
➢ Furthermore, a worm can deposit copies of itself onto all Web servers that the
infected systems can reach, so that users who subsequently visit those sites
become infected.

11. Trojan Horses

➢ Are software programs that hide their true nature and reveal their designed
behavior only when activated.

Dept. of CSE, MEC 2022-2023

Unit-I Subject: Information Security

Trojan horse Trojan horse is Trojan horse releases its

arrives via E- activated when payload, monitors
mail or the software or computer activity, installs
software such attachment is back door, or transmits
as free games executed. information to hacker

Trojan horse Attack

12. Back Door or Trap Door

➢ A Virus or Worm has a payload that installs a backdoor or trapdoor component
in a system, which allows the attacker to access the system at will with special
privileges.

13. Polymorphic Threats

➢ A Polymorphic threat is one that changes its apparent shape over time, making
it undetectable by techniques that look for preconfigured signatures.
➢ These viruses and Worms actually evolve, changing their size, and appearance
to elude detection by antivirus software programs.

Virus & Worm Hoaxes

Virus
➢ A program or piece of code that be loaded on to your computer, without your
knowledge and run against your wishes.

Worm
➢ A program or algorithm that replicates itself over a computer network and
usually performs malicious actions.

Types of Trojans
➢ Data Sending Trojans
➢ Proxy Trojans
➢ FTP Trojans
➢ Security software disabler Trojans
➢ Denial of service attack Trojans(DOS)

Trojan Horse
➢ A destructive program that masquerade on beginning application, unlike
viruses, Trojan horse do not replicate themselves.

Blended threat
➢ Blended threats combine the characteristics of virus, worm, Trojan horses &
malicious code with server and Internet Vulnerabilities.

Dept. of CSE, MEC 2022-2023

Unit-I Subject: Information Security

Antivirus Program
➢ A Utility that searches a hard disk for viruses and removes any that found.

Forces of Nature
➢ Fire: Structural fire that damages the building. Also encompasses smoke
damage from a fire or water damage from sprinkles systems.
➢ Flood: Can sometimes be mitigated with flood insurance and/or business
interruption Insurance.
➢ Earthquake: Can sometimes be mitigated with specific causality insurance
and/or business interruption insurance but is usually a separate policy.
➢ Lightning: An Abrupt, discontinuous natural electric
discharge in the atmosphere.
➢ Landslide/Mudslide: The downward sliding of a mass of earth & rocks directly
damaging all parts of the information systems.
➢ Tornado/Severe Windstorm
➢ Hurricane/typhoon
➢ Tsunami
➢ Electrostatic Discharge (ESD)
➢ Dust Contamination

Since it is not possible to avoid force of nature threats, organizations must implement
controls to limit damage.
➢ They must also prepare contingency plans for continued operations, such as
disaster recovery plans, business continuity plans, and incident response
plans, to limit losses in the face of these threats.

Deviations in Quality of Service

➢ A product or service is not delivered to the organization as expected.
➢ The Organization’s information system depends on the successful operation of
many interdependent support systems.
➢ It includes power grids, telecom networks, parts suppliers, service vendors, and
even the janitorial staff & garbage haulers.
➢ This degradation of service is a form of availability disruption. Internet Service
Issues
➢ Internet service Provider(ISP) failures can considerably undermine the
availability of information.
➢ The web hosting services are usually arranged with an agreement providing
minimum service levels known as a Service level Agreement (SLA).
➢ When a Service Provider fails to meet SLA, the provider may accrue fines to
cover losses incurred by the client, but these payments seldom cover the losses
generated by the outage.

Communications & Other Service Provider Issues

Dept. of CSE, MEC 2022-2023

Unit-I Subject: Information Security

➢ Other utility services can affect the organizations are telephone, water,
wastewater, trash pickup, cable television, natural or propane gas, and
custodial services.
➢ The loss of these services can impair the ability of an organization to function.
➢ For an example, if the wastewater system fails, an organization might be
prevented from allowing employees into the building.
➢ This would stop normal business operations.

Power Irregularities
➢ Fluctuations due to power excesses.
➢ Power shortages &
➢ Power losses
This can pose problems for organizations that provide inadequately conditioned
power for their information systems equipment.
➢ When voltage levels spike (experience a momentary increase),or surge (
experience prolonged increase ), the extra voltage can severely damage or
destroy equipment.
➢ The more expensive uninterruptible power supply (UPS) can protect against
spikes and surges.

Technical Hardware Failures or Errors

➢ Resulting in unreliable service or lack of availability
➢ Some errors are terminal, in that they result in unrecoverable loss of
equipment.
➢ Some errors are intermittent, in that they resulting in faults that are not easily
repeated.

Technical software failures or errors

➢ This category involves threats that come from purchasing software with
unknown, hidden faults.
➢ Large quantities of computer code are written, debugged, published, and sold
before all their bugs are detected and resolved.
➢ These failures range from bugs to untested failure conditions.

Technological obsolescence
➢ Outdated infrastructure can lead to unreliable and untrustworthy systems.
➢ Management must recognize that when technology becomes outdated, there is
a risk of loss of data integrity from attacks.

ATTACKS
➢ An attack is an act of or action that takes advantage of a vulnerability to
compromise a controlled system.
➢ It is accomplished by a threat agent that damages or steals an organization’s
information or physical asset.

Dept. of CSE, MEC 2022-2023

Unit-I Subject: Information Security

➢ Vulnerability is an identified weakness in a controlled system, where controls

are not present or are no longer effective.
➢ Attacks exist when a specific act or action comes into play and may cause a
potential loss.

1. Malicious code
➢ The malicious code attack includes the execution of viruses, worms, Trojan
horses, and active Web scripts with the intent to destroy or steal information.
➢ The state –of-the-art malicious code attack is the polymorphic or multivector,
worm.
➢ These attack programs use up to six known attack vectors to exploit a variety
of vulnerabilities in commonly found information system devices.

2. Attack Replication Vectors

➢ IP scan & attack
➢ Web browsing
➢ Virus
➢ Unprotected shares
➢ Mass mail
➢ Simple Network Management Protocol(SNMP)
IP scan & attack: The infected system scans a random or local range of IP addresses
and targets any of several vulnerabilities known to hackers.

Web browsing: If the infected system has write access to any Web pages, it makes all
Web content files (.html,.asp,.cgi & others) infectious, so that users who browse to
those pages become infected.

Virus: Each infected machine infects certain common executable or script files on all
computers to which it can write with virus code that can cause infection.

Unprotected shares: Using vulnerabilities in file systems and the way many
organizations configure them, the infected machine copies the viral component to all
locations it can reach.

Mass Mail: By sending E-mail infections to addresses found in the address book, the
infected machine infects many users, whose mail -reading programs also
automatically run the program & infect other systems.

Simple Network Management Protocol (SNMP): By using the widely known and
common passwords that were employed in early versions of this protocol, the
attacking program can gain control of the device. Most vendors have closed these
vulnerabilities with software upgrades.

3. Hoaxes

Dept. of CSE, MEC 2022-2023

Unit-I Subject: Information Security

➢ A more devious approach to attacking the computer systems is the

transmission of a virus hoax with a real virus attached.
➢ Even though these users are trying to avoid infection, they end up sending the
attack on to their co-workers.

4. Backdoors
➢ Using a known or previously unknown and newly discovered access
mechanism, an attacker can gain access to a system or network resource
through a back door.
➢ Sometimes these entries are left behind by system designers or maintenance
staff, and thus referred to as trap doors.
➢ A trap door is hard to detect, because very often the programmer who puts it
in place also makes the access exempt from the usual audit logging features of
the system.

5. Password Crack
➢ Attempting to reverse calculate a password is often called cracking.
➢ A password can be hashed using the same algorithm and compared to the
hashed results, If they are same, the password has been cracked.
➢ The (SAM) Security Account Manager file contains the hashed representation
of the user’s password.

6. Brute Force
➢ The application of computing & network resources to try every possible
combination of options of a password is called a Brute force attack.
➢ This is often an attempt to repeatedly guess passwords to commonly used
accounts, it is sometimes called a password attack.

7. Spoofing
➢ It is a technique used to gain unauthorized access to computers, where in the
intruder sends messages to a computer that has an IP address that indicates
that the messages are coming from a trusted host.

Dept. of CSE, MEC 2022-2023

Unit-I Subject: Information Security

Figure IP spoofing
Firewall allows packet in, mistaking it for legitimate traffic

8. Dictionary
➢ This is another form of the brute force attack noted above for guessing
passwords.
➢ The dictionary attack narrows the field by selecting specific accounts to attack
and uses a list of commonly used passwords instead of random combinations.

9. Denial –of- Services(DOS) & Distributed Denial –of- Service(DDOS)

➢ The attacker sends a large number of connection or information requests to a
target.
➢ This may result in the system crashing, or simply becoming unable to perform
ordinary functions.
➢ DDOS is an attack in which a coordinated stream of requests is launched
against a target from many locations at the same.

10. Man-in-the –Middle

➢ Otherwise called as TCP hijacking attack.
➢ An attacker monitors packets from the network, modifies them, and inserts
them back into the network.
➢ This type of attack uses IP spoofing.
➢ It allows the attacker to change, delete, reroute, add, forge or divert data.
➢ TCP hijacking session, the spoofing involves the interception of an encryption
key exchange.

Dept. of CSE, MEC 2022-2023

Unit-I Subject: Information Security

11. Spam
➢ Spam is unsolicited commercial E-mail.
➢ It has been used to make malicious code attacks more effective.
➢ Spam is considered as a trivial nuisance rather than an attack.
➢ It is the waste of both computer and human resources it causes by the flow of
unwanted E-mail.

12. Mail Bombing

➢ Another form of E-mail attack that is also a DOS called a mail bomb.
➢ Attacker routes large quantities of e-mail to the target.
➢ The target of the attack receives unmanageably large volumes of unsolicited e-
mail.
➢ By sending large e-mails, attackers can take advantage of poorly configured e-
mail systems on the Internet and trick them into sending many e-mails to an
address chosen by the attacker.
➢ The target e-mail address is buried under thousands or even millions of
unwanted e- mails.

13. Sniffers
➢ A sniffer is a program or device that can monitor data traveling over a network.
➢ Unauthorized sniffers can be extremely dangerous to a network’s security
because they are virtually impossible to detect and can be inserted almost
anywhere.
➢ Sniffer often works on TCP/IP networks, where they are sometimes called
“packet Sniffers”.

14. Social Engineering

➢ It is the process of using social skills to convince people to reveal access
credentials or other valuable information to the attacker.

Dept. of CSE, MEC 2022-2023

Unit-I Subject: Information Security

➢ An attacker gets more information by calling others in the company and

asserting his/her authority by mentioning chief’s name.

15. Buffer Overflow

➢ A buffer overflow is an application error that occurs when more data is sent to
a buffer than it can handle.
➢ Attacker can make the target system execute instructions.

16. Timing Attack

➢ Works by exploring the contents of a web browser’s cache.
➢ These attacks allow a Web designer to create a malicious form of cookie, that
is stored on the client’s system.

Secure Software Development

Systems consist of hardware, software, networks, data, procedures, and people who
uses the system. Many of the information security issues have their root cause in the
software elements of the system. Secure systems require secure or at least securable
software elements in a System.

The development of systems and the software is often accomplished using a

methodology called SDLC. To develop Secure Systems many included security
objectives in the SDLC and have put in place procedures to create secure software.
This approach to software development is known as software assurance, or SA.

The U.S. Department of Defense (DoD) launched a Software Assurance Initiative in

2003 to create a common body of knowledge which focuses on secure software
development. This program initiative resulted in the publication of the Secure
Software Assurance (SwA) Common Body of Knowledge (CBK).

The SwA CBK document contains the following sections:

➢ Nature of Dangers
➢ Fundamental Concepts and Principles
➢ Ethics, Law, and Governance
➢ Secure Software Requirements
➢ Secure Software Design
➢ Secure Software Construction
➢ Secure Software Verification, Validation, and Evaluation
➢ Secure Software Tools and Methods
➢ Secure Software Processes
➢ Secure Software Project Management
➢ Acquisition of Secure Software
➢ Secure Software Sustainment.

Dept. of CSE, MEC 2022-2023

Unit-I Subject: Information Security

Software Design Principles

Good software development should result in a finished product that meets all of its
design specifications.
Common security principles
1. Economy of mechanism: Keep the design as simple and small as possible.
2. Fail-safe defaults: Base access decisions on permission rather than exclusion.
3. Complete mediation: Every access to every object must be checked for authority.
4. Open design: The design should not be secret, but rather depend on the possession
of keys or passwords.
5. Separation of privilege: Where feasible, a protection mechanism should require two
keys to unlock, rather than one.
6. Least privilege: Every program and every user of the system should operate using
the least set of privileges necessary to complete the job.
7. Least common mechanism: Minimize mechanisms (or shared variables) common
to more than one user and depended on by all users.
8. Psychological acceptability: It is essential that the human interface be designed for
ease of use, so that users routinely and automatically apply the protection
mechanisms correctly.

Software Development Security Problems:

➢ Buffer Overruns Buffers are used to manage mismatches in the processing rates
between two entities involved in a communication process.
➢ Command Injection Command injection problems occur when user input is passed
directly to a compiler or interpreter.
➢ Cross-site Scripting Cross site scripting (or XSS) occurs when an application
running on a Web server gathers data from a user in order to steal it.
➢ Failure to Handle Errors can cause a variety of unexpected system behaviors.
Programmers are expected to prepare code to handle them.
➢ Failure to Protect Network Traffic
➢ Failure to Store and Protect Data Securely
➢ Failure to Use Cryptographically Strong Random Numbers
➢ Format String Problems
➢ Neglecting Change Control
➢ Improper File Access
➢ Improper Use of SSL
➢ Information Leakage
➢ Integer Bugs (Overflows/Underflows)
➢ Race Conditions
➢ SQL Injection
➢ Trusting Network Address Resolution
➢ Unauthenticated Key Exchange
➢ Use of Magic URLs and Hidden Forms
➢ Use of Weak Password-Based Systems
➢ Poor Usability

Dept. of CSE, MEC 2022-2023