CHAPTER 1 - 1

Prof. Joseph Wilfred Dela Cruz

Professor

Corpus, Kathlene M.

Students
 INFORMATION SECURITY

Outline

• Security in practice
• Models for data security
• Attacks
• Defense in depth

SECURITY IN PRACTICE

In 2018, 20,373 BEC/E-mail Account Compromise (EAC) complaints with

adjusted losses of over $1.2 billion (spoofed email, a spoofed phone call or a
spoofed text).

In 2018, 100 complaints with a combined reported loss of $100M. In the Payroll
Diversion scam.

In 2018, 51,146 extortion-related complaints with adjusted losses of over $83

million which represents a 242% increase in extortion related complaints from
2017.

Department of Justice (Office of Cybercrime)

Cybercrime report 2016 – 2017

3,951complaints for cybercrime and cyber-related offenses.

53.92% higher.
Critical Infrastructure areas

• Telecommunications
• Electrical power systems
• Water supply systems
• Gas and oil pipelines
• Transportation
• Government services
• Emergency services
• Banking and finance

Information Security - Protecting information and information systems from

unauthorized access, use, disclosure, disruption, modification, or destruction.

What is a secure computer system? - To decide whether a computer system

is “secure”, you must first decide what “secure” means to you, then identify the
threats you care about. “You will never own a perfectly secure system!”

Threats – examples

• Viruses, trojan horses, etc.

• Denial of Service
• Stolen Customer Data
• Modified Databases
• Identity Theft and other threats to personal privacy
• Equipment Theft
• Espionage in cyberspace
• Hack-tivism
• Cyberterrorism
Security means …

• Invading our networks

• Natural disasters
• Adverse environmental conditions
• Power failures,
• Theft or vandalism
• People

When are we secure?

Defining when we are insecure is a much easier task such as:

• Not patching our systems

• Using weak passwords such as “password” or “1234”
• Downloading programs from the Internet
• Opening e-mail attachments from unknown senders n Using wireless
networks without encryption.

Components of Information Security

Confidentiality

Availability

Integrity

Other security components added to CIA

o Authentication

o Authorization

o Non- repudiation
Confidentiality Refers to our ability to protect our data from those who are
not authorized to view it.

Difficult to ensure. Easiest to assess in terms of success. (binary in nature: Yes /

No)

Integrity ability to prevent our data from being changed in an unauthorized or

undesirable manner. Concerned with access to assets. More difficult to measure
than confidentiality (Not binary – degrees of integrity)

Integrity vs. Confidentiality

Context-dependent - means different things in different contexts

Could mean any subset of these asset properties:

{precision / accuracy / currency / consistency /

meaningfulness / usefulness / ...}

Availability Ability to access our data when we need it.

We can say that an asset (resource) is available if:

• Timely request response

• Fair allocation of resources (no starvation!)
• Fault tolerant (no total breakdown)
• Easy to use in the intended way
• Provides controlled concurrency (concurrency control, deadlock
control, ...)
The Parkerian Hexad

• Confidentiality
• Availability
• Integrity
• Possession
• Authenticity
• Utility

Possession or Control Refers to the physical disposition of the media on which

the data is stored

Authenticity Allows us to talk about the proper attribution as to the owner or

creator of the data in question.

Utility Refers to how useful the data is to us

Types of Attacks

Confidentiality – interception

Integrity – interruption, modification, fabrication

Availability – interruption, modification, fabrication

Interception allows unauthorized users to access our data, applications, or

environments, and are primarily an attack against confidentiality.

Interruption Cause our assets to become unusable or unavailable for our use,
on a temporary or permanent basis. Attacks often affect availability but can be
an attack on integrity as well.

Modification Involves tampering with our asset.

Fabrication Involve generating data, processes, communications, or other
similar activities with a system.

Threats, Vulnerabilities and Risk

Threats Something that has the potential to cause us harm.

Vulnerabilities Weaknesses that can be used to harm us. Holes that can be
exploited by threats in order to cause us harm.

Risk Likelihood that something bad will happen.

Controls Physical – Controls that protect the physical environment in which our
systems sit, or where out data is stored.

Logical Technical controls, are those that protect the systems, networks, and
environments that process, transmit, and store our data. Include items such as
passwords, encryption, logical access controls, firewalls, and intrusion detection
systems.

Administrative Based on rules, laws, policies, procedures, guide0lines, and

other items that are “paper” in nature.

Defense in Depth Strategy common to both military maneuvers and

information security.

Defense in Depth

• External Network
• Internal Network
• Host
• Application
• Data
 Defense in each Layer

• External Network
o DMZ
o VPN
o Logging
o Auditing
o Penetration Testing
o Vulnerability Analysis
• Network Perimeter
o Firewalls
o Proxy
o Logging
o Stateful Packet Inspection
o Auditing
o Penetration Testing
o Vulnerability Analysis
• Internal Network
o IDS
o IPS
o Logging
o Auditing
o Penetration Testing
o Vulnerability Analysis
• Host
o Authentication
o Antivirus
o Firewalls
o IDS
o IPS
o Password Hashing
o Logging
o Auditing
o Penetration Testing
o Vulnerability Analysis
• Application
o SSO
o Content Filtering
o Data Validation
o Auditing
o Penetration Testing
o Vulnerability Analysis
• Data
o Encryption
o Access Controls
o Backup
o Penetration Testing
o Vulnerability Analysis