Information

Security
The need of security

By
Dr. Mudassar Raza
Professor
Department of Computer Science
Namal University Mianwali https://techgirls.ece.vt.edu/slides/introduction_to_cybersecurity.html#39

By: Dr. Mudassar Raza

 Principals of
Information Security,
Fourth Edition
Chapter 2
The Need for Security

By: Dr. Mudassar Raza

Learning Objectives
• Upon completion of this material, you should be able to:
• Demonstrate that organizations have a business need for information security
• Explain why a successful information security program is the responsibility of
both an organization’s general management and IT management

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Learning Objectives (cont’d.)
• Identify the threats posed to information security and the more common
attacks associated with those threats, and differentiate threats to the
information within systems from attacks against the information within
systems
• Describe the issues facing software developers, as well as the most common
errors made by developers, and explain how software development programs
can create software that is more secure and reliable

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Introduction
• Primary mission of information security is to ensure systems and
contents stay the same
• If no threats existed, resources could be focused on improving
systems, resulting in vast improvements in ease of use and usefulness
• Attacks on information systems are a daily occurrence

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Business Needs First
Technology Needs Last
• Information security performs four important functions for an
organization
• Protects ability to function
• Enables safe operation of applications implemented on its IT systems
• Protects data the organization collects and uses
• Safeguards technology assets in use

• ✅ Protects the organization's ability to function

• ✅ Ensures safe operation of IT applications

• ✅ Secures collected and used data

• ✅ Safeguards technology assets

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Protecting the Functionality of an
Organization
• Management (general and IT) responsible for implementation
• Information security is both management issue and people issue
• Organization should address information security in terms of business
impact and cost

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Enabling the Safe Operation of
Applications
• Organization needs environments that safeguard applications using IT
systems
• Management must continue to oversee infrastructure once in place—
not relegate to IT department

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Protecting Data that Organizations
Collect and Use
• Organization, without data, loses its record of transactions and/or
ability to deliver value to customers
• Protecting data in motion and data at rest are both critical aspects of
information security

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Safeguarding Technology Assets in
Organizations
• Organizations must have secure infrastructure services based on size
and scope of enterprise
• Additional security services may be needed as organization grows
• More robust solutions may be needed to replace security programs
the organization has outgrown

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Threats
• Threat: an object, person, or other entity that represents a constant
danger to an asset
• Management must be informed of the different threats facing the
organization
• Overall security is improving
• The 2009 CSI/FBI survey found
• 64 percent of organizations had malware infections
• 14 percent indicated system penetration by an outsider

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Table 2-1 Threats to Information Security4

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Compromises to Intellectual
Property
• Intellectual property (IP): “ownership of ideas and control over the
tangible or virtual representation of those ideas”
• The most common IP breaches involve software piracy
• Two watchdog organizations investigate software abuse:
• Software & Information Industry Association (SIIA)
• Business Software Alliance (BSA)
• Enforcement of copyright law has been attempted with technical
security mechanisms

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Deliberate Software Attacks
• Malicious software (malware) designed to damage, destroy, or deny
service to target systems
• Includes:
• Viruses
• Worms
• Trojan horses
• Logic bombs
• Back door or trap door
• Polymorphic threats
• Virus and worm hoaxes

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Deliberate Software Attacks
• What is a Software Attack? A software attack is an attempt to exploit vulnerabilities in software or systems to gain unauthorized access, steal
data, disrupt operations, or cause harm.

• A hacker sends a malicious email attachment containing malware. When the victim opens it, the malware installs on their system and steals
sensitive information.

• Malware Attacks – Malicious software like viruses, worms, and Trojans infect a system.

• Phishing Attacks – Fake emails or websites trick users into revealing sensitive information.

• Denial-of-Service (DoS) Attacks – Overloads a system to make it unavailable to users.

• Ransomware Attacks – Encrypts user data and demands payment for its release.

• Man-in-the-Middle (MITM) Attacks – Intercepts communication between two parties to steal or alter data.

• SQL Injection Attacks – Exploits database vulnerabilities to access or manipulate data.

• What is a Trojan Horse Software Attack? A Trojan Horse is a type of malware that disguises itself as a legitimate program but secretly
performs harmful actions, such as stealing data or giving hackers remote access to a system.

• A user downloads a free game, but it secretly installs a backdoor, allowing hackers to access their computer.
Principals of Information Security, Fourth Edition
By: Dr. Mudassar Raza
Deliberate Software Attacks
• Malicious software (malware) designed to damage, destroy, or deny
service to target systems
• Includes:
• Viruses
• Worms
• Trojan horses
• Logic bombs
• Back door or trap door
• Polymorphic threats
• Virus and worm hoaxes

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
 Figure 2-4 Trojan Horse Attack

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Deviations in Quality of Service
• Includes situations where products or services are not delivered as
expected
• Information system depends on many interdependent support
systems
• Internet service, communications, and power irregularities
dramatically affect availability of information and systems

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Deviations in Quality of Service
(cont’d.)
• Internet service issues
• Internet service provider (ISP) failures can considerably
undermine availability of information
• Outsourced Web hosting provider assumes responsibility
for all Internet services as well as hardware and Web site
operating system software
• Communications and other service provider issues
• Other utility services affect organizations: telephone,
water, wastewater, trash pickup, etc.
• Loss of these services can affect organization’s ability to
function

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Deviations in Quality of Service
(cont’d.)
• Power irregularities
• Commonplace
• Organizations with inadequately conditioned power are susceptible
• Controls can be applied to manage power quality
• Fluctuations (short or prolonged)
• Excesses (spikes or surges) – voltage increase
• Shortages (sags or brownouts) – low voltage
• Losses (faults or blackouts) – loss of power

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Deviations in Quality of Service
(cont’d.)
• Quality of Service (QoS) refers to the performance level of a service, especially in networking and telecommunications.

• Deviation in QoS occurs when the actual service quality does not meet the expected or agreed standards.

• A banking system relies on a high-speed network to process online transactions securely. However, due to network congestion or a Denial-of-Service (DoS) attack, the system experiences:

• High Latency → Transactions take too long to complete.

• Packet Loss → Some transactions fail, leading to financial discrepancies.

• Causes of QoS Deviation:

• Network Congestion – Too many users or data packets slow down the network.

• High Latency (Delay) – Delayed data transmission affects real-time applications like video calls.

• Packet Loss – Data packets fail to reach their destination, causing missing information.

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Espionage or Trespass
• Access of protected information by unauthorized individuals
• Competitive intelligence (legal) vs. industrial espionage (illegal)
• Shoulder surfing can occur anywhere a person accesses confidential
information
• Controls let trespassers know they are encroaching on organization’s
cyberspace
• Hackers use skill, cleverness, or fraud to bypass controls protecting
others’ information

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
 Figure 2-5 Shoulder Surfing

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
 Figure 2-6 Hacker Profiles

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Espionage or Trespass (cont’d.)
• Expert hacker
• Develops software scripts and program exploits
• Usually a master of many skills
• Will often create attack software and share with others
• Unskilled hacker
• Many more unskilled hackers than expert hackers
• Use expertly written software to exploit a system
• Do not usually fully understand the systems they hack

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Espionage or Trespass (cont’d.)
• Other terms for system rule breakers:
• Cracker: “cracks” or removes software protection designed to prevent
unauthorized duplication
• Phreaker: hacks the public telephone network

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Espionage or Trespass (cont’d.)
• Competitive Intelligence (Legal) vs. Industrial Espionage (Illegal)

• Competitive Intelligence (Legal)

• Collecting publicly available data.

• Stealing confidential information.

• Using market research, public reports, and legal sources.

• Industrial Espionage (Illegal)

• Hacking, bribing employees, or spying.

• Ethical and follows laws and regulations.

• Unethical and violates laws.

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Espionage or Trespass (cont’d.)
• Espionage (also called spying) is when someone secretly gathers confidential or sensitive information without permission. It is often done
for political, military, or business advantage.

• Trespass is when someone accesses a system, network, or physical place without permission, even if they don’t steal anything.

• Corporate Espionage: A rival company hacks into another company’s database to steal new product designs.

• Government Espionage: A spy secretly steals military plans from another country.

• Cyber Trespass: A hacker gains unauthorized access to a company’s internal system but does not cause damage.

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Forces of Nature
• Forces of nature are among the most dangerous threats
• Disrupt not only individual lives, but also storage, transmission, and
use of information
• Organizations must implement controls to limit damage and prepare
contingency plans for continued operations

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Human Error or Failure
• Includes acts performed without malicious intent
• Causes include:
• Inexperience
• Improper training
• Incorrect assumptions
• Employees are among the greatest threats to an organization’s data

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Human Error or Failure (cont’d.)
• Employee mistakes can easily lead to:
• Revelation of classified data
• Entry of erroneous data
• Accidental data deletion or modification
• Data storage in unprotected areas
• Failure to protect information
• Many of these threats can be prevented with controls

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Figure 2-8 Acts of Human Error or Failure

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Information Extortion
• Attacker steals information from computer system and demands
compensation for its return or nondisclosure
• Commonly done in credit card number theft

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Information Extortion
Information extortion is when someone steals sensitive information and demands money or
favors to keep it secret or return it. It is a form of cybercrime or blackmail.

• Examples of Information Extortion:

• Ransomware Attack – A hacker encrypts a company's files and demands payment to unlock
them.

• Data Leak Threat – A cybercriminal steals customer data from an online store and threatens
to publish it unless they are paid.

• Personal Blackmail – A hacker gets access to someone's private photos or messages and
demands money to not share them online.

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Missing, Inadequate, or Incomplete
• In policy or planning, can make organizations vulnerable to loss,
damage, or disclosure of information assets
• With controls, can make an organization more likely to suffer losses
when other threats lead to attacks

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Missing, Inadequate, or Incomplete
• Missing, Inadequate, or Incomplete – What Does It Mean?

• These terms refer to problems in data, information, or system requirements that can cause errors, misunderstandings, or failures.

• Missing → Something is completely absent.

• Example: A software update lacks important security patches, making the system vulnerable.

• Inadequate → Something is not enough to meet the required standard.

• Example: A company’s password policy is weak (e.g., allowing "12345" as a password), making it easy for hackers to break in.

• Incomplete → Something is partially provided but not fully detailed.

• Example: A medical report lacks the patient’s full history, leading to incorrect treatment.

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Sabotage or Vandalism
• Threats can range from petty vandalism to organized sabotage
• Web site defacing can erode consumer confidence, dropping sales
and organization’s net worth
• Threat of hacktivist or cyberactivist operations rising
• Cyberterrorism: much more sinister form of hacking

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
 Figure 2-9 Cyber Activists Wanted

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Sabotage and vandalism both involve intentional damage, but they differ in purpose:
Sabotage → Deliberate destruction to harm an organization, system, or person, often for
revenge or political reasons.
Vandalism → Random or reckless damage to property or systems, often for fun or out of
anger.
Examples:
🔹 Sabotage:
A disgruntled employee deletes critical company data before quitting.
Hackers shut down a government website to protest a policy.
🔹 Vandalism:
Someone spray-paints graffiti on a company’s office walls.
A hacker defaces a website by changing its homepage with offensive content.

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Theft
• Illegal taking of another’s physical, electronic, or intellectual property
• Physical theft is controlled relatively easily
• Electronic theft is more complex problem; evidence of crime not
readily apparent

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Theft
• Physical Theft → Stealing tangible objects like laptops, USB drives, or documents.

• Example: Someone steals a company's server or hard drive containing sensitive data.

• Electronic Theft (Cyber Theft) → Stealing digital data or hacking into systems.

• Example: A hacker steals customer credit card details from an online store.

• Intellectual Property Theft → Stealing ideas, inventions, or copyrighted content.

• Example: Someone pirates software or sells copied business designs.

• Why is Electronic Theft Hard to Detect?

• No physical break-in.

• Data can be copied without the owner knowing.

• Hackers use encryption to hide their tracks.

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Technical Hardware Failures or
Errors
• Occur when manufacturer distributes equipment containing flaws to
users
• Can cause the system to perform outside of expected parameters,
resulting in unreliable or poor service
• Some errors are terminal; some are recurrent

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Technical Hardware Failures or
Errors
• Technical hardware failure or error occurs when a device or system component fails to work correctly due to defects, design flaws, or wear and tear.

• Manufacturing Defects – Faulty components from the manufacturer.

• Wear and Tear – Aging hardware degrades over time.

• Overheating – Lack of cooling damages internal parts.

• Types of Failures:

• Terminal Failures → Permanent damage; hardware must be replaced.

• Example: A hard drive crashes and cannot be recovered.

• Recurrent Failures → Temporary or repeated malfunctions.

• Example: A laptop keeps freezing due to a faulty RAM module.

• A malfunction is when a device, system, or process fails to work correctly or behaves unexpectedly.

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Technical Software Failures or Errors
• Purchased software that contains unrevealed faults
• Combinations of certain software and hardware can reveal new
software bugs
• Entire Web sites dedicated to documenting bugs

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Technical Software Failures or Errors
• Technical software failures or errors occur when software does not
function as expected due to bugs, compatibility issues, or hidden
defects.
• Causes of Software Failures:

• Unrevealed Faults – Software is released with hidden bugs that only appear in certain conditions.

• Compatibility Issues – Some software works fine alone but fails when combined with certain hardware or other programs.

• Poor Testing – Inadequate testing before release leads to unexpected errors in real-world use.

• Examples:

• A mobile app crashes when running on a specific phone model.

• A website doesn’t load properly in some browsers due to coding errors.

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Technological Obsolescence
• Antiquated/outdated infrastructure can lead to unreliable,
untrustworthy systems
• Proper managerial planning should prevent technology obsolescence
• IT plays large role

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Technological Obsolescence
• Technological obsolescence occurs when hardware, software, or systems become outdated and no longer function efficiently or securely. This can lead to
unreliable and untrustworthy systems, affecting performance and security.

• Causes of Technological Obsolescence:

• Old computers, outdated software, and legacy systems no longer meet modern needs.

• Systems become vulnerable when manufacturers stop providing updates or support.

• Advanced tools and techniques make older versions obsolete.

• Examples: A company still using Windows XP faces security risks because Microsoft no longer supports it.

• An old router cannot handle high-speed internet, causing slow network performance.

• Businesses using floppy disks or outdated databases struggle to integrate with modern systems.

• How to Prevent It? Proper managerial planning to upgrade technology regularly.

• IT teams play a key role in ensuring software and hardware stay up to date.

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Attacks
• Attacks
• Acts or actions that exploits vulnerability (i.e., an identified weakness) in
controlled system
• Accomplished by threat agent that damages or steals organization’s
information
• Types of attacks
• Malicious code: includes execution of viruses, worms, Trojan horses, and
active Web scripts with intent to destroy or steal information
• Hoaxes: transmission of a virus hoax with a real virus attached; more devious
form of attack (Fake virus warnings or scam messages that trick users into taking
harmful actions.)

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Attacks

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
New Table

Table 2-2 Attack Replication Vectors

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Attacks (cont’d.)
• Types of attacks (cont’d.)
• Back door: gaining access to system or network using known or previously
unknown/newly discovered access mechanism(A backdoor is a secret or
unauthorized way to access a system, network, or software without going through normal
security controls. Attackers or developers may create backdoors to bypass authentication and
gain control over a system.)
• Password crack: attempting to reverse calculate a password
• Brute force: trying every possible combination of options of a password
• Dictionary: selects specific accounts to attack and uses commonly used
passwords (i.e., the dictionary) to guide guesses

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Attacks (cont’d.)
• Types of attacks (cont’d.)
• Denial-of-service (DoS): attacker sends large number of connection or
information requests to a target
• Target system cannot handle successfully along with other, legitimate service requests
• May result in system crash or inability to perform ordinary functions
• Distributed denial-of-service (DDoS): coordinated stream of requests is
launched against target from many locations simultaneously

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Figure 2-11 Denial-of-Service Attacks
Principals of Information Security, Fourth Edition
By: Dr. Mudassar Raza
Attacks (cont’d.)
• Types of attacks (cont’d.)
• Spoofing: technique used to gain unauthorized access; intruder assumes a
trusted IP address
• Man-in-the-middle: attacker monitors network packets, modifies them, and
inserts them back into network
• Spam: unsolicited commercial e-mail; more a nuisance than an attack, though
is emerging as a vector for some attacks
• Mail bombing: also a DoS; attacker routes large quantities of e-mail to target

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
 Figure 2-12 IP Spoofing
Principals of Information Security, Fourth Edition
By: Dr. Mudassar Raza
Figure 2-13 Man-in-the-Middle Attack
Principals of Information Security, Fourth Edition
By: Dr. Mudassar Raza
Attacks (cont’d.)
• Types of attacks (cont’d.)
• Sniffers: program or device that monitors data traveling over network; can be
used both for legitimate purposes and for stealing information from a
network
• Phishing: an attempt to gain personal/financial information from individual,
usually by posing as legitimate entity
• Pharming: redirection of legitimate Web traffic (e.g., browser requests) to
illegitimate site for the purpose of obtaining private information

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Attacks (cont’d.)
• Types of attacks (cont’d.)
• Social engineering: using social skills to convince people to reveal access
credentials or other valuable information to attacker
• “People are the weakest link. You can have the best technology; firewalls,
intrusion-detection systems, biometric devices ... and somebody can call an
unsuspecting employee. That's all she wrote, baby. They got everything.” —
Kevin Mitnick
• Timing attack: relatively new; works by exploring contents of a Web browser’s
cache to create malicious cookie

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Secure Software Development
• Many information security issues discussed here are caused by
software elements of system
• Development of software and systems is often accomplished using
methodology such as Systems Development Life Cycle (SDLC)
• Many organizations recognize need for security objectives in SDLC and
have included procedures to create more secure software
• This software development approach known as Software Assurance
(SA)

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Software Assurance and the SA
Common Body of Knowledge
• National effort underway to create common body of knowledge
focused on secure software development
• US Department of Defense and Department of Homeland Security
supported Software Assurance Initiative, which resulted in publication
of Secure Software Assurance (SwA) Common Body of Knowledge
(CBK)
• SwA CBK serves as a strongly recommended guide to developing more
secure applications

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Software Design Principles
• Good software development results in secure products that meet all
design specifications
• Some commonplace security principles:
• Keep design simple and small
• Access decisions by permission not exclusion
• Every access to every object checked for authority
• Design depends on possession of keys/passwords
• Protection mechanisms require two keys to unlock
• Programs/users utilize only necessary privileges

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Software Design Principles (cont’d.)
• Some commonplace security principles (cont’d.):
• Minimize mechanisms common to multiple users
• Human interface must be easy to use so users routinely/automatically use
protection mechanisms

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Software Development Security
Problems
• Problem areas in software development:
• Buffer overruns
• Command injection
• Cross-site scripting
• Failure to handle errors
• Failure to protect network traffic
• Failure to store and protect data securely
• Failure to use cryptographically strong random numbers

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Software Development Security
Problems (cont’d.)
• Problem areas in software development (cont’d.):
• Format string problems
• Neglecting change control
• Improper file access
• Improper use of SSL
• Information leakage
• Integer bugs (overflows/underflows)
• Race conditions
• SQL injection

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Software Development Security
Problems (cont’d.)
• Problem areas in software development (cont’d.):
• Trusting network address resolution
• Unauthenticated key exchange
• Use of magic URLs and hidden forms
• Use of weak password-based systems
• Poor usability

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Summary
• Unlike any other aspect of IT, information security’s primary mission
to ensure things stay the way they are
• Information security performs four important functions:
• Protects organization’s ability to function
• Enables safe operation of applications implemented on organization’s IT
systems
• Protects data the organization collects and uses
• Safeguards the technology assets in use at the organization

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Summary (cont’d.)
• Threat: object, person, or other entity representing a constant danger
to an asset
• Management effectively protects its information through policy,
education, training, and technology controls
• Attack: a deliberate act that exploits vulnerability
• Secure systems require secure software

Principals of Information Security, Fourth Edition

By: Dr. Mudassar Raza
Thank You

By: Dr. Mudassar Raza