Chapter – One

Introduction to Information Security

Information security refers to the protection or safeguarding of

information and information systems that use, store, and transmit
information from unauthorized access, disclosure, alteration, and
destruction. Information is a critical asset that organizations must secure. If
sensitive information falls into the wrong hands then the respective
organization may suffer huge losses in terms of finances, brand reputation,
customers, or in other ways. To provide an understanding of how to secure
such critical information resources, this module starts with an overview of
information security.

NIST Computer Security Handbook defines the term computer security as :

Computer Security: The protection afforded to an automated

information system in order to attain the applicable objectives of
preserving the integrity, availability, and confidentiality of information
system resources (includes hardware, software, firmware,
information/data, and telecommunications).

Cyber security is the collection of tools, policies, security concepts, security

safeguards, guidelines, risk management approaches, actions, training,
best practices, assurance and technologies that can be used to protect
the cyber environment and organization and user’s assets.

A vulnerability in computer security is a weakness or flaw in a system that

can be exploited by attackers to gain unauthorized access, steal data,
disrupt operations, or cause other damage. These vulnerabilities can exist in
hardware, software, firmware, or even configuration settings.

Here's a breakdown of key points:

 Types of vulnerabilities: There are many different types of

vulnerabilities, some common ones include:
o Software bugs: Programming errors that can be exploited to
crash a system or gain unauthorized access.
o Weak passwords: Passwords that are easy to guess or crack.
 o Misconfiguration: Systems or software that are not configured
securely.
o Zero-day vulnerabilities: Previously unknown vulnerabilities
that attackers can exploit before a patch is available.
o Social engineering: Techniques used to trick users into giving
up sensitive information or clicking on malicious links.

Impact of vulnerabilities: Exploited vulnerabilities can have a serious

impact on individuals and organizations. Some potential consequences
include:

 Data breaches: Sensitive information such as financial data, personal

information, or intellectual property can be stolen.
 Malware infections: Malicious software can be installed on a system
to steal data, disrupt operations, or hold data hostage for ransom.
 Denial-of-service (DoS) attacks: Attackers can overwhelm a system
with traffic, making it unavailable to legitimate users.
 Loss of reputation: A security breach can damage an organization's
reputation and lead to lost business.

Asset is

- Anything of value that needs protection.

- Can be tangible (buildings, equipment) or intangible (data, reputation).
- Examples: Customer information on a company server (tangible data),
a brand's good reputation (intangible).

Threat is the possible danger that may exploit the vulnerability of the
system or asset. A threat can be prevented by controlling the vulnerabilities.

What is security attacks?

Attack is the actual act of exploiting the information security system's

weaknesses. Any action that compromises the security of information owned
by an organization. The attack is a deliberate action. An attacker have a
motive and plan the attack accordingly.

Types of Attacks

1. Passive attacks. Passive attacks involve eavesdropping and monitoring

network traffic and data flow on the target network and do not temper
with the data. Attackers perform reconnaissance on network activities
using sniffers. The goal of passive attacks is to obtain information that
is being transmitted.
 Two types of passive attacks are:
a. Unauthorized disclosure of message contents – The adversary may
capture the cipher-text by tapping the communication media and
attempt to decipher it either by brute force method or by
sophisticated crypt-analysis techniques.
b. Traffic pattern analysis. The attacker may attempt to determine the
traffic pattern like frequency and length of messages being
transmitted. This may provide some leads to the nature of
information being transmitted. For example, in the defense
scenario, if the frequency of messages suddenly goes up it may
indicate that some operations are imminent.

Read contents of message from Bob to

Alice
Or
Observe the pattern of message from
Bob to Alice

Passive attack are difficult to detect as they donot involve any alteration of
the data. The message traffic is sent and received in an apparently normal
fashion and neither the sender nor receiver is aware that a third party has
read the messages or observed the traffic pattern. To prevent such attack
encryption technique can be used.

Active Attacks. Active attacks involves some modification of the data stream
or creation of a false data. Attackers launch attacks on the target system or
network by sending traffic actively that can be detected. Types of active
attacks:
a. Masquerade. It takes place when one entity pretends to be a different
entity. It refers to a scenario. Where an Entity (Say ‘A’) pretends to be
another entity (Say ‘B’) and sends a message to entity (Say ‘C’). This is
possible if ‘A’ is able to capture the authentication sequences of entity
‘B’ and replay it for sending an unauthorized message to entity ‘C’. The
recipient C will tend to believe that the message has been sent by ‘B’.

b. Replay. It involves capturing of a data stream, altering the data stream

and then transmitting it to the intended recipient, to produce an
unauthorized effect. Suppose a message ‘Reaching today at 4:00 pm’
is captured on 15th July 2019 and replayed on 17th July 2019. This
recipient will wrongly believe that the alleged sender of the message is
arriving on 17th July.

c. Modification of message. It involves capturing of data stream, altering

the data and then transmitting it to the intended recipient to produce
 an unauthorized effect. The altering may include modification,
deletion, appending, or reordering of the data stream.

d. Denial of service. It refers to preventing or inhibiting normal use of

communication services. For example, the adversary may suppress all
the messages meant for a particular destination; or saturate the
network by flooding it with spurious messages that degrade the
network’s performance. If network is saturated then the transmission
of valid messages will get unduly delayed. Some messages may even
get lost in transit.

We can also classify attacks based on the origin of the attack:

- Inside attack: Initiated by an entity inside the security perimeter (an
“insider”). The insider is authorized to access system resources but
uses them in a way not approved by those who granted the
authorization.
- Outside attack: Initiated from outside the perimeter, by an
unauthorized or illegitimate user of the system (an “outsider”). On the
Internet, potential outside attackers range from amateur pranksters to
organized criminals, international terrorists, and hostile governments.
Attackers generally have motives (goals) and objectives behind their
information security attacks. A motive originates out of the notion that a
target system stores or processes something valuable which leads to the
threat of an attack on the system. The purpose of the attack may be to
disrupt the target organization’s business operations, to steal valuable
information for the sake of curiosity or even to exact revenge

Security Services

X.800 defines the security services under the following categories

Security Functional Requirement

IT Security Requirements describe functional and non-functional

requirements that need to be satisfied in order to achieve the security
attributes of an IT system.

Security requirements can be formulated on different abstraction levels. At

the highest abstraction level they basically just reflect security objectives. An
example of a security objectives could be "The system must maintain the
confidentially of all data that is classified as confidential".

OSA suggests to distinguish 4 different security requirement types:

 Secure Functional Requirements, this is a security related description

that is integrated into each functional requirement. Typically this also
says what shall not happen. This requirement can for example be derived
from misuse cases
 Non-Functional Security Requirements, these are security related
architectural requirements, like "robustness" or "minimal performance
and scalability". This requirement type is typically derived from
architectural principals and good practice standards.
 Secure Development Requirements, these requirements describe
required activities during system development which assure that the
outcome is not subject to vulnerabilities. Examples could be "data
classification", "coding guidelines" or "test methodology". These
requirements are derived from corresponding best practice frameworks
like "CLASP".
 Functional Security Requirements, these are security services that
need to be achieved by the system under inspection. A security functional
requirement (SFR) is a specification of a system's behavior in terms of its
security capabilities and functions. SFRs are typically used to ensure that
a system provides adequate protection against identified threats and
meets the necessary security policies and standards. Here are some
examples of security functional requirements:

Examples of Security Functional Requirements

1. Identification and Authentication

 Requirement: The system shall require users to be uniquely identified

and authenticated before granting access.
 Details: This can include user IDs, passwords, biometrics, multi-factor
authentication, etc.

2. Access Control
 Requirement: The system shall enforce access controls that restrict
access to data and resources based on user roles and permissions.
 Details: Role-based access control (RBAC), mandatory access control
(MAC), or discretionary access control (DAC).

3. Data Confidentiality

 Requirement: The system shall ensure that sensitive data is protected

from unauthorized access or disclosure.
 Details: Encryption of data at rest and in transit, use of secure
communication protocols (e.g., TLS/SSL).

4. Data Integrity

 Requirement: The system shall ensure the integrity of data by

protecting it from unauthorized modification.
 Details: Checksums, digital signatures, cryptographic hash functions.

5. Audit and Accountability

 Requirement: The system shall provide the capability to audit user

activities and system events to ensure accountability.
 Details: Logging of access attempts, changes to data, system alerts,
audit trail generation.

6. Non-repudiation

 Requirement: The system shall ensure that actions taken by users

cannot be denied by the users themselves.
Details: Use of digital signatures, transaction logging.

7. Availability

 Requirement: The system shall ensure that critical resources and data
are available to authorized users when needed.
 Details: Redundancy, failover mechanisms, backup and recovery plans.

8. Security Management

 Requirement: The system shall provide tools and interfaces for

managing security policies, roles, and access controls.
 Details: Administration interfaces for security configuration, user
management.

9. Privacy

 Requirement: The system shall ensure that users' personal information

is protected according to applicable privacy laws and regulations.
 Details: Data anonymization, user consent management.

10. Security Incident Response

 Requirement: The system shall provide mechanisms for detecting,

reporting, and responding to security incidents.
 Details: Intrusion detection systems, incident response plans, alerting
mechanisms.

How to Define Security Functional Requirements

1. Identify Threats and Risks: Understand the potential threats and risks
that the system faces. This could be done through threat modeling and
risk assessments.

2. Set Security Objectives: Based on the identified threats, define the

security objectives that the system must achieve.

3. Define Requirements: Translate the security objectives into specific,

measurable, achievable, relevant, and time-bound (SMART) requirements.

4. Review and Validate: Ensure that the requirements are reviewed and
validated by stakeholders, including security experts, to ensure they are
comprehensive and achievable.

5. Implementation and Testing: Ensure that the requirements are

implemented and rigorously tested to verify that they meet the specified
security needs.

Security functional requirements are critical in the design and

implementation of secure systems, providing a clear specification of what
security measures must be in place and ensuring that the system can defend
against potential threats and vulnerabilities.

Attack Surfaces
An attack surface is the total number of all possible entry points for unauthorized access into any
system. Attack surfaces include all vulnerabilities and endpoints that can be exploited to carry out a
security attack. The attack surface is also the entire area of an organization or system that's
susceptible to hacking.

Different types of attack surfaces:

 Physical attack surfaces comprise all endpoint devices, such as desktop systems, laptops,
mobile devices, hard drives and USB ports. This type of attack surface includes all the devices
that an attacker can physically access. Likewise, this also includes improperly discarded
hardware that contains user data and login credentials, passwords on paper or physical break-
ins.
 Digital attack surfaces encompass applications, code, ports, servers and websites, as well as
unauthorized system access points. A digital attack surface is all the hardware and software that
connect to an organization's network. Vulnerabilities caused by poor coding, weak passwords,
default operating system settings, exposed APIs, outdated software or misconfigurations are all
part of the digital attack surface.
 Social engineering attack surfaces surround the topic of human vulnerabilities as opposed to
hardware or software vulnerabilities. Social engineering is the concept of manipulating a person
with the goal of getting them to share and compromise personal or company data. Therefore, an
organization's social engineering attack surface is the number of authorized users who are
susceptible to social engineering attacks. Phishing attacks are a well-known example of social
engineering attacks.

Attack Tree
Attack trees are hierarchical, graphical diagrams that show how low level
hostile activities interact and combine to achieve an adversary's objectives
- usually with negative consequences for the victim of the attack.

Similar to many other types of trees (e.g., decision trees), the diagrams are
usually drawn inverted, with the root node at the top of the tree and
branches descending from the root. The top or root node represents the
attacker's overall goal. The nodes at the lowest levels of the tree (leaf
nodes) represent the activities performed by the attacker. Nodes between
the leaf nodes and the root node depict intermediate states or attacker sub-
goals. Although the attacker may gain benefits (and the victim suffer
impacts) at any level of the tree, the impacts usually increase at higher
levels of the tree.

Gaining Unauthorized Access to Secure System

├── Gain Physical Access to Server Room

│ ├── Pick Lock

│ │ ├── Use lock-picking tools

│ │ └── Duplicate key

│ ├── Steal Key

│ │ ├── Pickpocket

│ │ └── Social engineering (trick employee)

│ └── Break Door

│ ├── Use brute force

│ └── Use power tools

├── Bypass Network Security

│ ├── Exploit Vulnerability

│ │ ├── Use known software exploit

│ │ └── Discover zero-day vulnerability

│ ├── Brute Force Attack

│ │ ├── Guess passwords

│ │ └── Use a password cracking tool

│ └── Phishing Attack

│ ├── Send phishing emails

│ └── Use a fake login page

├── Obtain User Credentials

│ ├── Social Engineering

│ │ ├── Impersonate IT support

│ │ └── Use pretexting

│ ├── Install Keylogger

│ │ ├── Physically install on workstation

│ │ └── Use malware to remotely install

│ └── Shoulder Surfing

│ ├── Observe user typing password

│ └── Use hidden camera

├── Exploit Software Vulnerabilities

│ ├── Inject Malicious Code

│ │ ├── SQL injection

│ │ └── Cross-site scripting (XSS)

│ └── Buffer Overflow

│ ├── Exploit poorly written code

│ └── Use automated tools

└── Man-in-the-Middle Attack

├── Interception

│ ├── Use packet sniffer

│ └── Use rogue Wi-Fi hotspot

└── Modification

├── Alter data packets

└── Redirect traffic