Introduction to Information Security (IT200)

INTRODUCTION TO
INFORMATION AND
COMPUTER
SECURITY

CHAPTER 1

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Introduction to Information Security (IT200)

• Define information security

• Relate the history of computer
Learning security and how it evolved into
information security
Objectives • Define key terms and critical
concepts of information security as
presented in this chapter

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Introduction to Information Security (IT200)

Chapter Outline
• Information Security History
• Definition
− Security
− Information Security
• The CIA Concepts
• Critical Characteristics of Information
• Type of security threats
• Type of Attacker

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
4

Introduction
• Information security: a “well-informed sense of
assurance that the information risks and controls
are in balance.” — Jim Anderson, Inovant (2002)

• Necessary to review the origins of this field and its

impact on our understanding of information
security today
Principles of Information Security, 3rd Edition
5

The History of
Information Security
• Computer security began immediately after
the first mainframes were developed

− Groups developing code-breaking

computations during World War II created
the first modern computers
− Multiple levels of security were
implemented

• The need for physical security

• Physical controls to limit access to sensitive

military locations to authorized personnel

• Rudimentary in defending against physical

theft, espionage, and sabotage
Principles of Information Security, 3rd Edition
6

Introduction to Information Security (IT200)

Figure 1-1 – The Enigma

➢ The Enigma machine is a piece of

spook hardware invented by a German
➢ Used by Britain’s codebreakers as a
way of deciphering German signals
traffic during WW2

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
7

Introduction to Information Security (IT200)

The 1960s
• Advanced Research Project Agency (ARPA)
began to examine feasibility of redundant
networked communications

• Larry Roberts developed ARPANET from its

inception

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Principles of Information Security, 3rd Edition
8

Introduction to Information Security (IT200)

Figure 1-2 - ARPANET

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
9

Introduction to Information Security (IT200)

The 1970s and 80s

• ARPANET grew in popularity as did its potential for
misuse
• Fundamental problems with ARPANET security
were identified

− Individual remote sites did not have

sufficient controls and safeguards to protect
data from unauthorized remote users;
− No safety procedures for dial-up connections
to ARPANET
− Non-existent user identification and
authorization to system
− Phone numbers were widely distributed
and openly publicized on the walls of rest
rooms and phone booths, giving hackers easy
access to APRANET

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Principles of Information Security, 3rd Edition
10

Introduction to Information Security (IT200)

The 1970s and 80s (continued)

• Information security began with Rand Report R-

609 (paper that started the study of computer
security)
• Scope of computer security grew from physical
security to include:
- Safety of data
- Limiting unauthorized access to data
- Involvement of personnel from multiple levels of an
organization

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Principles of Information Security, 3rd Edition
11

Introduction to Information Security (IT200)

MULTICS
• Early focus of computer security research
was a system called Multiplexed Information
and Computing Service (MULTICS)
• First operating system created with security as
its primary goal
• Mainframe, time-sharing OS developed in mid-
1960s by General Electric (GE), Bell Labs, and
Massachusetts Institute of Technology (MIT)
• Several MULTICS key players created UNIX
− Primary purpose of UNIX was text
processing

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Principles of Information Security, 3rd Edition
12

Introduction to Information Security (IT200)

The 1990s
• Networks of computers became
more common; so too did the
need to interconnect networks

• Internet became first

manifestation of a global network
of networks

• In early Internet deployments,

security was treated as a low
priority

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Principles of Information Security, 3rd Edition
13

Introduction to Information Security (IT200)

• The Internet brings millions of computer

networks into communication with each
other—many of them unsecured

• Ability to secure a computer’s data

The influenced by the security of every
computer to which it is connected
Present
• 50B number of connected objects
expected by 2020

• ~ 7 connected devices / person

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Principles of Information Security, 3rd Edition
14

Introduction to Information Security (IT200)

What is Security?
• “The quality or state of being secure—to be free
from danger”
• The protection of information and its critical elements,
including systems and hardware that use, store, and
transmit that information
• A successful organization should have multiple layers
of security in place:

- Physical security (physical item, objects)

- Personal security (individual or group who are
authorized to access the organization & its
operations)
- Operations security (details of a particular
operations, project, activities)
- Communications security (organization’s
media, technology & content)
- Network security (networking components,
connection)
- Information security (data & information)
UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Principles of Information Security, 3rd Edition
15

Introduction to Information Security (IT200)

What is Information Security?

• The protection of information and
its critical elements, including
systems and hardware that use,
store, and transmit that
information
• Necessary tools: policy,
awareness, training, education,
technology
• C.I.A. triangle
− Is a standard based on
confidentiality, integrity,
and availability, now viewed
as inadequate.
− Expanded into list of critical
characteristics of information

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Principles of Information Security, 3rd Edition
16

Introduction to Information Security (IT200)

Critical Characteristics of Information

• The value of information comes from the

characteristics it possesses:
- Availability : enable authorized used to access info without
interference & in the required format
- Accuracy : free from mistake or error.
- Authenticity : originality
- Confidentiality : related with privacy
- Integrity : Being whole, complete, and uncorrupted
- Utility : having value for some purpose
- Possession : having ownership or control

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Introduction to Information Security (IT200)

Information Security
• Information is an asset which, like other important business
assets, has value to an organization and consequently needs to
be suitably protected
• Definition:
− Preservation of confidentiality, integrity and availability of
information; in addition, other properties such as authenticity,
accountability, non-repudiation and reliability can also be
involved (ISO27001:2005)
• InfoSec also is The process of protecting the confidentiality,
availability and integrity (CIA) of data from accidental or
intentional misuse
• InfoSec is the Combination of technical and non-technical
approaches to reduce risks to information systems

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Introduction to Information Security (IT200)

Security concepts –
information
✓ Confidentiality
✓ Integrity
✓ Availability

Security Concept –
People
✓ Authorization
✓ Authentication
✓ Accountability / Non-
repudiation

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Introduction to Information Security (IT200)
Operational Model of Computer
Security
• The operational model of computer security includes two
additions to the original security equation:
• Protection = Prevention + (Detection + Response)
• Every security technique and technology falls into at least
one of the three elements of the equation.
PROTECTION =
PREVENTION + ( DETECTION + RESPONSE )

Sample technologies in the operational model of computer security

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Principles of Information Security, 3rd Edition
20

Introduction to Information Security (IT200)

Components of an Information System

Information system (IS) is entire set of:

✓Software,
✓Hardware,
✓Data,
✓People,
✓Procedures, and
✓Networks
that enable businesses to use information as a
resource in the organization

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Principles of Information Security, 3rd Edition
21

Introduction to Information Security (IT200)

Securing Components

• Computer can be subject of an attack and/or the

object of an attack

- When the subject of an attack, computer is used as an

active tool to conduct attack

- When the object of an attack, computer is the entity being

attacked

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Principles of Information Security, 3rd Edition
22

Introduction to Information Security (IT200)

Figure 1-5 – Subject and

Object of Attack

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Principles of Information Security, 3rd Edition
23

Introduction to Information Security (IT200)

• Impossible to obtain
perfect security—it is a
process, not an absolute

• Security should be
considered balance
between protection and
availability

• To achieve balance, level

of security must allow
reasonable access, yet
protect against threats

Balancing Information
Security and Access
UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Introduction to Information Security (IT200)

Information Security Threats

• A threat refers to anything that has the potential to
cause harm to a computer systems.
• Threat agents human or non-human, intentional or
not
• Categories of threat agents
i. Nontarget specific
ii. Natural disaster
iii. Human unintentional
iv. Human intentional

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Introduction to Information Security (IT200)

i. Nontarget specific
• Generally in forms of − Key Logger
malicious software − Sniffer
(malware)
− Vulnerability Scanner
− Virus
− Backdoor
− Worm
− Rootkits
− Extortionware
− Bots
− Trojan
− Time/logic bomb
− Spyware

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Introduction to Information Security (IT200)
Virus Worm
• Self-replicating program • Virus-like program that make
reproduced by attaching copies of itself across network
executable copies of itself to connection;
other program;
• Seeking uninfected workstation
• Requires a host program to
infect and it is not executed until in which to reproduce;
the host program is run. • Able to travel independently
• Effects: irritating messages to through different hosts and
destruction of the system; resides more in the computer
memory of a system rather than
on disk; and
• Aim: Continued reproduction to
cause disk or memory
overload throughout the
network.

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Introduction to Information Security (IT200)
Extortionware Bots
• Also known as ransomware. • Internet robots, also known as
spiders, crawlers, and web bots.
• Malicious software that is
specifically designed to take • Self-propagating malware that
control of a computer infects its host and connects back to
system or its data and hold it a central server(s). The server
hostage so the attackers can functions as a “command and
demand payment from their control center” for a botnet,
victims. Malicious bots have the “worm-like
ability to self- propagate,” and can
also: gather passwords, launch Dos
attacks, Log keystrokes & etc

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Introduction to Information Security (IT200)
Trojan Horse
• Resides in the code of the program
until the moment its activation;
• Conditions of activation are
determined by the computer
programmer who designed the
program;
• Posted through internet disguised
as a harmless program, game, or
utility;
• Also used to exchange secret
information between hackers; and
• Also releases other malicious
program such as viruses or worms.
UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Time/Logic Bombs
• Kinds of Trojan Horses;
• Logic Bomb inserts secretly into a
system and causes a destructive
action when a certain logical event
or sequence of event happens;
• The trigger can be a specific date, a
countdown reaching zero or an
internal state met by other factors in
the machine.
• e.g. A programmer who is unfairly
removed from his or her post may
plant a time bomb to be triggered
after the date of his or her removal.
Introduction to Information Security (IT200)
Spyware Key Logger
• Is a type of malicious • Is a specific of spyware.
software designed to steal • Records the keystrokes of a
personal information by user
running undetected on • It collects all the information
your machine & it has being processed through
found a pervasive home on the operating system &
the Internet. stores it all
• Will record what is done on
the machine over a period
of time & offload what it has
collected when it has an
available connection to the
spyware author’s site

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Introduction to Information Security (IT200)
Sniffer
• A program and/or device that
monitors data traveling over a
network.
• Can be used both for legitimate
network management functions
and for stealing information off a
network.
• Unauthorized sniffers
➢ Extremely dangerous to a
network's security because they
are
➢ Virtually impossible to detect and
can be inserted almost
anywhere.
➢ This makes them a favorite
weapon in the hacker's arsenal.
Vulnerability Scanner
• Automated tools designed to
assess computer systems,
networks or application for
weaknesses.
• Used to discover the weak
points or poorly constructed
parts.
• Can be run either as part of
vulnerability management by
those tasked with protecting the
systems or
• By hackers looking to gain
unauthorized access

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Introduction to Information Security (IT200)

ii. Natural Disaster

• Natural disaster can

devastate software &
hardware systems,
especially in data &
system loss.
• Floods, hurricane, &
earthquakes can attack
all your system by
simply destroying it
beyond repair

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Introduction to Information Security (IT200)

iii. Human Unintentional

• Breached security through accident or carelessness
• It might caused by the poor coding that allow backdoor
into the software system
• A more serious scenario of this type of threat agent is if
they accidently activate the malicious software or give
the wrong piece of information to the wrong person
(social engineering technique)

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Introduction to Information Security (IT200)

iv. Human Intentional

• A diverse group of people who have something to gain
by attacking our system.
• Motivation: pride or curiosity, information or money
• They will always be threats & zero-day
attacks,(caused massive damaged, can only be used
once & have yet to be deployed.
• Goal defensive design – to eliminate such scenarios

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Introduction to Information Security (IT200)

Types of Attackers
• Hackers vs Crackers
• White Hat
• Black Hat
• Gary Hat
• Hacktivism
• Cyberterrorist
• Script Kiddies

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Introduction to Information Security (IT200)

Types of Attackers (cont’d)

Hackers Crackers
✓ Someone who was proficient
✓ An individual with
with computers particularly in
extensive computer
the field of networking.
knowledge whose purpose
✓ Most often, they are expert
is to breach or bypass
programmers
security or gain access to
✓ Hackers can also be internet
software without paying
security experts hired to find
royalties
vulnerabilities in system
✓ Unethical & Illegal actions

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Introduction to Information Security (IT200)

Types of Attackers (cont’d)

01 02 03
Black hat hackers White hat hackers Gray hat hackers
• The Bad guy • The Good guy • Ambiguous purposes &
• Violate computer • Break security for flexible morality
security for personal non-malicious • Less threating crackers,
but often border on the
gain and the goal is to purposes illegal with their activities
inflict malicious • Goal to expose • Goal is to break into a
damage security flaws, not to system without owner’s
• Also known as steal or corrupt data permission, but not for
crackers their own advantage

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Introduction to Information Security (IT200)

Types of Attackers (cont’d)

• Hacktivists - attackers who attack for ideological reasons
that are generally not as well-defined as a
cyberterrorist’s motivation
• Protect against commercial or non-commercial entities
or a nation state a group or individual
• Examples of hacktivist attacks:
✓ Breaking into a website and changing the contents on the site
to make a political statement
✓ Disabling a website belonging to a bank because the bank
stopped accepting payments that were deposited into
accounts belonging to the hacktivists

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Introduction to Information Security (IT200)

Types of Attackers (cont’d)

• Cyberterrorists - an attacker whose motivation
may be ideological or for the sake of principles
or beliefs
➢ Almost impossible to predict when or where the
attack may occur
• Targets may include:
➢ A small group of computers or networks that can
affect the largest number of users
• Example:
➢ Computers that control the electrical power grid of a
state or region
UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Introduction to Information Security (IT200)

Types of Attackers (cont’d)

• Script kiddies – People who take preexisting
hackers tool & use them to attack a target by
following instruction for breaking into system
• They download automated hacking software
(scripts) from websites & using it to perform
malicious acts.
• Over 40 percent of attacks require low or no skills
• Exploit kits - automated attack package that can
be used without an advanced knowledge of
computers
➢ Script kiddies either rent or purchase them

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
Introduction to Information Security (IT200)

End of lecture 1

Let’s play puzzle!

UNIVERSITY MALAYSIA
OF COMPUTER SCIENCE & ENGINEERING
The Clues