Republic of the Philippines

CAVITE STATE UNIVERSITY

CCAT Campus
Rosario, Cavite
 (046) 437-9505 /  (046) 437-6659
[email protected]
www.cvsu-rosario.edu.ph
 TABLE OF CONTENTS

LESSON 1 .............................................................................................. 3
Introduction to Information Technology ............................................. 3
LESSON 2 .............................................................................................. 9
The Need for Security ........................................................................... 9
LESSON 3 ............................................................................................ 16
Legal, Ethical, and Professional Issues in Information Security ...... 16
LESSON 4 ............................................................................................ 20
Planning for Security .......................................................................... 20
LESSON 5 ............................................................................................ 24
Risk Management ................................................................................ 24
LESSON 7 ............................................................................................ 27
Security Technology ............................................................................ 27
LESSON 8 ............................................................................................ 31
Cryptography ...................................................................................... 31
 Republic of the Philippines
CAVITE STATE UNIVERSITY
CCAT Campus
Rosario, Cavite
 (046) 437-9505 /  (046) 437-6659
[email protected]
www.cvsu-rosario.edu.ph

LESSON 1

Introduction to Information Technology

Define information assurance and information security

Information assurance and information security are two closely related terms that refer to
practices and processes used to protect sensitive information from unauthorized access, use, disclosure,
disruption, modification, or destruction.

Information assurance refers to the measures and processes that ensure the confidentiality,
integrity, and availability of information. It involves a holistic approach to managing risks associated with
the storage, processing, and transmission of data. Information assurance aims to minimize the impact of
security breaches and other risks that could compromise the confidentiality, integrity, and availability of
information.

Information security, on the other hand, is a more specific term that focuses on protecting
information from unauthorized access, use, disclosure, disruption, modification, or destruction.
Information security involves the use of various technologies, tools, and processes to protect sensitive
information. It includes measures such as access control, encryption, firewalls, intrusion detection and
prevention systems, and security monitoring.

Information Security History

Information security has a long and evolving history that dates back to ancient times. Some of the key
milestones in the development of information security include:

• Cryptography in Ancient Times: Cryptography, or the practice of using codes and ciphers to
protect information, has been used since ancient times. The Egyptians, Greeks, and Romans all
used cryptography to protect sensitive messages.
• Medieval Castles: In the Middle Ages, castles were built with moats, walls, and other defensive
features to protect against attackers. These fortifications also protected the valuable information
and resources stored inside.
• World War II and the Enigma Machine: During World War II, the German military used the
Enigma machine to encrypt their communications. The Allies worked to crack the code and
ultimately succeeded in decrypting the messages, which helped them win the war.
• Birth of Modern Computing and Early Threats: In the late 1940s and 1950s, the first electronic
computers were developed. With the emergence of computer networks and mainframes, security
threats started to emerge, mainly from insiders trying to gain unauthorized access or exploit
vulnerabilities.
 • Passwords and Access Controls: In the 1960s, passwords and access controls were introduced as a
way to secure computer systems. However, early password systems were relatively weak, and
security breaches still occurred.
• The Internet Era: The birth of the internet in the 1970s and 1980s brought about new security
challenges. The early internet lacked robust security protocols, making it vulnerable to attacks
like worms and viruses.
• The Morris Worm: In 1988, Robert Tappan Morris created the first major internet worm, known
as the Morris Worm. It infected thousands of computers, highlighting the need for improved
security measures.
• Trusted Computing Initiative: In the late 1980s and early 1990s, the Trusted Computing Initiative
began to address computer security issues through the development of trusted computing
platforms and secure operating systems.
• Public-Key Cryptography: The discovery and development of public-key cryptography by
Whitfield Diffie, Martin Hellman, and Ralph Merkle in the mid-1970s revolutionized encryption
techniques, enabling secure communication over insecure networks.
• The Rise of Cybercrime: As the internet grew in popularity during the 1990s, cybercrime
escalated significantly. Cybercriminals exploited vulnerabilities in software and systems for
financial gain, leading to the development of cybersecurity measures.
• The 21st Century Cyber Landscape: The 21st century witnessed a rapid increase in cyber-attacks,
data breaches, and security incidents. High-profile incidents like the Stuxnet worm (2010) and the
WannaCry ransomware attack (2017) highlighted the need for stronger cybersecurity measures.
• Mobile Security: With the proliferation of smartphones and mobile devices, mobile security
became a major concern. Mobile malware and data breaches on mobile platforms necessitated the
development of robust mobile security solutions.
• Cloud Security: As cloud computing became prevalent, concerns about data security in the cloud
grew. New security measures were implemented to protect data stored and transmitted through
cloud services.
• Internet of Things (IoT) Security: The rapid expansion of IoT devices brought new security
challenges. Insecure IoT devices have been targeted by attackers to gain access to networks or
conduct large-scale attacks.
• Advanced Persistent Threats (APTs): In recent years, sophisticated APTs have emerged, targeting
governments, corporations, and critical infrastructure. These threats require constant vigilance
and advanced cybersecurity capabilities.
• Data Privacy Regulations: In response to the growing number of data breaches and concerns
about data privacy, various countries and regions have implemented data protection laws like the
European Union's General Data Protection Regulation (GDPR).

Components of Information System

An information system is a collection of people, processes, data, and technology that work together to
manage and process information. The key components of an information system are:

1. People: The people component of an information system includes those who use and manage the
system, including end-users, system administrators, and IT staff. People are responsible for
creating, managing, and using data and information within the system.
 2. Processes: Processes refer to the activities and procedures that are used to collect, store, process,
and distribute information within the system. Examples of processes include data entry, data
validation, data processing, and data reporting.
3. Data: Data is the raw material that is used by the information system. It can be in various formats
such as text, numbers, images, or multimedia. Data must be accurate, reliable, and timely to be
useful.
4. Software: Software refers to the computer programs and applications that are used to process and
manage data within the system. Examples of software used in an information system include
database management systems, enterprise resource planning (ERP) systems, and customer
relationship management (CRM) systems.
5. Hardware: Hardware refers to the physical components of the information system, including
computers, servers, networking devices, and storage devices. These components work together to
provide the necessary computing power and storage capacity to manage and process information
within the system.
6. Network: The network component of an information system includes the communication
infrastructure that enables data to be transmitted between different components of the system.
This can include local area networks (LANs), wide area networks (WANs), and the Internet.

Balancing Information Security and Access

Balancing information security and access is a critical concern for any organization. On the one hand,
organizations need to protect their sensitive information from unauthorized access, use, and disclosure.
On the other hand, they also need to ensure that authorized users can access the information they need to
perform their jobs.

Here are some strategies that organizations can use to balance information security and access:

1. Implement Access Controls: Access controls are tools and processes that restrict access to
information based on user roles and permissions. By implementing access controls, organizations
can ensure that only authorized users can access sensitive information.
2. Use Multi-Factor Authentication: Multi-factor authentication requires users to provide two or
more types of authentication factors, such as a password and a fingerprint, to access information.
This can help to ensure that only authorized users can access sensitive information.
3. Educate Users: Educating users about information security risks and best practices can help to
reduce the likelihood of accidental data breaches. Users should be trained on topics such as
password security, phishing scams, and safe browsing habits.
4. Use Encryption: Encryption is the process of encoding information so that it can only be read by
authorized users. By using encryption, organizations can protect sensitive information from
unauthorized access and disclosure.
5. Monitor User Activity: Monitoring user activity can help organizations to detect and prevent
security breaches. By analyzing user behavior, organizations can identify potential security risks
and take action to mitigate them.

Approaches to Information Security Implementation

There are several approaches to implementing information security in an organization. Here are some
common approaches:

1. Risk-based Approach: This approach involves identifying and assessing risks to the organization's
information assets and then implementing controls to mitigate those risks. Risk assessments can
 help organizations identify the assets that need to be protected, the threats and vulnerabilities that
exist, and the potential impact of a security breach.
2. Compliance-based Approach: This approach involves implementing security controls to comply
with regulatory requirements and industry standards. Organizations in regulated industries such as
healthcare, finance, and government may be required to comply with specific regulations and
standards related to information security.
3. Defense-in-Depth Approach: This approach involves implementing multiple layers of security
controls to provide redundancy and protection against a wide range of threats. This can include
physical security measures, network security controls, and data encryption.
4. Human-centric Approach: This approach focuses on the role of people in information security. It
involves educating and training employees on security best practices, implementing policies and
procedures to guide employee behavior, and monitoring employee activity to detect and prevent
security breaches.
5. Technology-focused Approach: This approach emphasizes the use of technology to protect
information assets. It involves implementing security technologies such as firewalls, intrusion
detection and prevention systems, and antivirus software to protect against threats.

Security in the Systems Development Life Cycle

Security is a critical consideration in the systems development life cycle (SDLC) - a process used by
organizations to design, develop, and implement information systems. Here are the key stages of the
SDLC and how security can be incorporated into each stage:

1. Planning: In the planning stage, organizations define the objectives and requirements of the new
system. Security should be considered during this stage to ensure that security requirements are
identified and included in the system design. This can include identifying potential security risks,
developing security policies and procedures, and allocating resources to support security
initiatives.
2. Analysis: During the analysis stage, organizations assess their current systems and determine the
requirements for the new system. Security considerations during this stage include identifying the
types of data that will be stored, determining access controls for the system, and identifying
potential security threats.
3. Design: In the design stage, organizations create a detailed plan for the new system, including
system architecture, data structures, and interfaces. Security considerations during this stage
include incorporating security controls into the system design, developing data protection
strategies, and designing access controls to limit user access to sensitive information.
4. Implementation: In the implementation stage, the new system is built and tested. Security
considerations during this stage include testing security controls, implementing access controls,
and configuring firewalls and other security technologies.
5. Testing: During the testing stage, the new system is tested for functionality and performance.
Security considerations during this stage include conducting security testing to identify
vulnerabilities, penetration testing to test the system's defenses against attacks, and testing
disaster recovery procedures.
6. Deployment: In the deployment stage, the new system is released into production. Security
considerations during this stage include configuring security controls, implementing monitoring
and logging procedures, and establishing incident response protocols.
7. Maintenance: During the maintenance stage, the system is monitored and updated to ensure that it
continues to meet organizational needs. Security considerations during this stage include updating
security controls, patching vulnerabilities, and training employees on new security threats and
best practices.
Here are some key terms and critical concepts of information security:

1. Confidentiality: This refers to the protection of sensitive information from unauthorized access.
Confidentiality ensures that only authorized individuals or entities can access sensitive data.
2. Integrity: This refers to the protection of data from unauthorized modification. Integrity ensures
that data is not altered or modified in an unauthorized manner.
3. Availability: This refers to the availability of data and systems to authorized users. Availability
ensures that systems and data are accessible when needed.
4. Authentication: This refers to the process of verifying the identity of a user or entity.
Authentication ensures that only authorized individuals or entities can access systems and data.
5. Authorization: This refers to the process of granting or denying access to systems or data based
on the identity of the user. Authorization ensures that only authorized individuals or entities can
access specific systems or data.
6. Risk management: This refers to the process of identifying, assessing, and mitigating risks to
information systems and data. Risk management is critical for maintaining the confidentiality,
integrity, and availability of information assets.
7. Threats: These are potential events or actions that could harm information systems or data.
Threats can include malware, hacking attacks, phishing scams, and social engineering.
8. Vulnerabilities: These are weaknesses in information systems or processes that can be exploited
by attackers. Vulnerabilities can include software bugs, misconfigured systems, and weak
passwords.
9. Defense in depth: This is an approach to security that involves implementing multiple layers of
security controls to protect information assets. Defense in depth ensures that even if one layer of
security is compromised, other layers will still provide protection.
10. Incident response: This is the process of responding to security incidents, such as data breaches or
cyber-attacks. Incident response involves identifying and containing the incident, investigating
the cause, and restoring normal operations.

Describe the information security roles of professionals within an organization

There are various information security roles within an organization, each with its specific responsibilities.
Here are some common information security roles and their duties:

1. Chief Information Security Officer (CISO): The CISO is responsible for overseeing the entire
information security program within an organization. They establish the organization's security
policies, standards, and procedures, and ensure that they are in compliance with relevant laws and
regulations. The CISO also manages the organization's security team and coordinates with other
departments to ensure that the organization's information assets are adequately protected.
2. Security Analyst: Security analysts are responsible for analyzing the organization's security risks
and vulnerabilities and designing security solutions to mitigate them. They also monitor the
organization's security systems, such as firewalls and intrusion detection systems, and respond to
security incidents as needed.
3. Security Engineer: Security engineers design and implement security systems and technologies.
They work with security analysts to identify security risks and vulnerabilities and develop
solutions to mitigate them. Security engineers also conduct security assessments to identify
weaknesses in the organization's security posture.
4. Security Architect: Security architects design and implement the organization's security
architecture. They develop security policies, standards, and procedures and ensure that they are
aligned with the organization's overall business goals. Security architects also evaluate new
 technologies and products to ensure that they are compatible with the organization's security
architecture.
5. Network Security Engineer: Network security engineers are responsible for securing the
organization's network infrastructure. They design and implement security solutions to protect the
organization's network from unauthorized access, attacks, and data breaches. Network security
engineers also monitor the organization's network for security threats and respond to incidents as
needed.
6. Application Security Analyst: Application security analysts are responsible for securing the
organization's software applications. They identify security risks and vulnerabilities in the
applications and develop solutions to mitigate them. Application security analysts also ensure that
the organization's software applications are developed and deployed securely.
7. Security Operations Center (SOC) Analyst: SOC analysts monitor the organization's security
systems, such as firewalls and intrusion detection systems, for security incidents. They respond to
incidents as needed, investigate security breaches, and recommend security solutions to prevent
future incidents.
 Republic of the Philippines
CAVITE STATE UNIVERSITY
CCAT Campus
Rosario, Cavite
 (046) 437-9505 /  (046) 437-6659
[email protected]
www.cvsu-rosario.edu.ph

LESSON 2

The Need for Security

Threats and attacks

Threats and attacks can refer to a wide range of situations, but generally, they involve some form of harm
or danger being imposed on a person, group, or organization. Below are some examples of threats and
attacks:

1. Cyberattacks: These are attacks that are carried out through the internet or other digital channels.
Cyberattacks can take various forms, such as phishing scams, malware, and denial-of-service
attacks. They can be used to steal sensitive information, compromise computer systems, or
disrupt services.
2. Physical attacks: These are violent attacks carried out in person. They can involve assault,
battery, or other forms of physical harm. Physical attacks can be motivated by a variety of factors,
including hate, revenge, or greed.
3. Terrorism: Terrorism involves the use of violence and intimidation to achieve political or
ideological goals. It can take various forms, such as bombings, shootings, or hijackings.
4. Threats of violence: Threats of violence can take various forms, such as verbal threats, written
threats, or online threats. They can be used to intimidate or coerce someone into doing something
they don't want to do or to instill fear.
5. Natural disasters: Natural disasters, such as hurricanes, earthquakes, and floods, can cause
significant damage and harm to people, animals, and infrastructure.
6. Financial fraud: Financial fraud involves the use of deception or misrepresentation to obtain
money or other valuables from someone. It can take various forms, such as Ponzi schemes,
identity theft, or credit card fraud.

Understand threats and attacks in information security

In information security, a threat is any potential danger or harm to an organization's information or
technology assets. An attack is an intentional attempt to exploit a vulnerability or weakness in an
organization's security defenses to gain unauthorized access to sensitive information or disrupt normal
operations. Threats and attacks can come from a variety of sources, including external attackers, insiders,
and forces of nature.

Here are some common types of threats and attacks in information security:
 1. Malware: Malware is a type of software designed to harm or disrupt computer systems. This can
include viruses, worms, trojans, and ransomware.
2. Phishing: Phishing is a type of social engineering attack that uses email, phone calls, or other
methods to trick users into divulging sensitive information or clicking on a malicious link.
3. Denial-of-service (DoS) attacks: DoS attacks are designed to overload a system or network with
traffic, causing it to crash or become unavailable to users.
4. Password attacks: Password attacks involve attempting to guess or crack a user's password to gain
unauthorized access to a system or network.
5. Insider threats: Insider threats refer to employees or contractors who use their access to an
organization's systems or data to steal or compromise sensitive information.
6. Physical attacks: Physical attacks involve physically accessing an organization's facilities or
equipment to steal or damage data.

Compromises to intellectual property

Compromises to intellectual property (IP) occur when someone uses, steals, or shares protected
information or ideas without permission or proper authorization. This can have serious consequences for
individuals, businesses, and society as a whole. Here are some examples of compromises to intellectual
property:

1. Copyright infringement: Copyright infringement occurs when someone uses, reproduces, or

distributes copyrighted material without permission. This can include music, movies, books,
software, and other forms of creative content.
2. Patent infringement: Patent infringement occurs when someone uses or sells an invention or
process that is protected by a patent without permission. This can include software, machines, and
other types of technology.
3. Trademark infringement: Trademark infringement occurs when someone uses a logo, brand
name, or other symbol that is protected by a trademark without permission. This can lead to
confusion in the marketplace and can harm the reputation of the trademark owner.
4. Trade secret theft: Trade secret theft occurs when someone steals confidential information, such
as customer lists, formulas, or manufacturing processes, from a business. This can harm the
business's competitiveness and profitability.
5. Counterfeiting: Counterfeiting occurs when someone creates or sells fake versions of products
that are protected by IP laws. This can harm the reputation of the genuine product and can lead to
financial losses for the legitimate owner.

Different types of threats and attacks in Information security

Espionage or trespass
Espionage or trespassing refer to illegal or unauthorized access to confidential information or property.
These acts can have serious consequences for individuals, organizations, and even national security. Here
are some examples of espionage or trespassing:

1. Corporate espionage: Corporate espionage occurs when a company or individual steals trade
secrets, confidential information, or intellectual property from another company. This can harm
the competitiveness and profitability of the victimized company.
 2. Cyber espionage: Cyber espionage occurs when a foreign government or group uses hacking or
other digital methods to gain access to confidential information or intellectual property. This can
have serious national security implications.
3. Trespassing: Trespassing occurs when someone enters a property without permission or
authorization. This can include entering a restricted area, such as a government facility or military
base.
4. Physical espionage: Physical espionage occurs when someone gains access to confidential
information by physically stealing documents or other materials from a company or government
agency.
5. Economic espionage: Economic espionage occurs when a foreign government or group steals
information about a company's finances, market strategies, or research and development plans to
gain a competitive advantage.

Forces of nature
Forces of nature are natural phenomena that occur without human intervention, such as weather events,
earthquakes, volcanic eruptions, and wildfires. These events can have a significant impact on the
environment and human life. Here are some examples of forces of nature:

1. Weather events: Weather events such as hurricanes, tornadoes, floods, and droughts can cause
widespread damage to property and infrastructure, as well as loss of life.
2. Earthquakes: Earthquakes are caused by the movement of tectonic plates beneath the Earth's
surface and can result in damage to buildings, bridges, and other structures.
3. Volcanic eruptions: Volcanic eruptions can cause significant damage to the environment and
nearby communities, including the destruction of homes, displacement of people, and the release
of toxic gases and ash.
4. Wildfires: Wildfires can occur naturally or be caused by human activities, such as campfires or
cigarette butts. They can spread quickly and cause significant damage to forests, homes, and other
structures.
5. Tsunamis: Tsunamis are caused by underwater earthquakes, volcanic eruptions, or landslides and
can cause significant damage to coastal communities.

Human error or failure

Human error or failure refers to mistakes or errors made by individuals or groups that result in unintended
consequences or negative outcomes. Human error can occur in various fields, such as aviation, healthcare,
and manufacturing. Here are some examples of human error or failure:

1. Mistakes in healthcare: Mistakes in healthcare can include medication errors, misdiagnosis, or

failure to follow proper procedures during surgery. These errors can have serious consequences
for patients and their families.
2. Errors in aviation: Errors in aviation can include pilot error, air traffic control mistakes, or
mechanical failures. These errors can result in accidents and loss of life.
3. Manufacturing errors: Manufacturing errors can include mistakes in the production process, such
as socio defective products or incorrect assembly. These errors can lead to product recalls, loss of
revenue, and damage to a company's reputation.
4. Cybersecurity breaches: Cybersecurity breaches can occur when individuals or groups gain
unauthorized access to sensitive data or systems. This can lead to financial loss, identity theft, and
damage to an organization's reputation.
 5. Environmental disasters: Environmental disasters can occur as a result of human error or failure,
such as oil spills or industrial accidents. These disasters can have significant environmental and
economic consequences.

Information extortion
Information extortion is a type of cybercrime in which the attacker threatens to publish or withhold
sensitive or confidential information unless a ransom or other demand is met. Information extortion can
have serious consequences for individuals and organizations, including financial loss, damage to
reputation, and legal liability. Here are some examples of information extortion:

1. Ransomware attacks: Ransomware attacks involve the use of malware to encrypt a victim's files
or systems and demand payment in exchange for the decryption key. Ransomware attacks can be
targeted at individuals or organizations and can result in the loss of sensitive data or the
disruption of business operations.
2. Doxxing: Doxxing involves the publication of an individual's personal information, such as their
name, address, or social security number, without their consent. This information can be used to
extort money or to harass or intimidate the victim.
3. DDoS attacks: Distributed denial of service (DDoS) attacks involve flooding a target's servers
with traffic to overwhelm the system and prevent legitimate access. DDoS attacks can be used as
a form of extortion, with attackers demanding payment to stop the attack.
4. Insider threats: Insider threats involve employees or contractors who have access to sensitive
information or systems and use that access to extort money or other benefits from their employer.

Sabotage or vandalism
Sabotage or vandalism refers to intentional damage or destruction of property, equipment, or information
with the aim of causing harm or disruption. These types of actions can have serious consequences for
individuals, organizations, and society as a whole. Here are some examples of sabotage or vandalism:

1. Physical damage: Physical damage can include acts of vandalism, such as graffiti or destruction
of property, or sabotage of equipment or machinery. This can result in financial loss, downtime,
and disruption of business operations.
2. Cyberattacks: Cyberattacks can include hacking, denial of service attacks, or the introduction of
malware or viruses into a network. These attacks can result in the theft of sensitive information,
disruption of services, or damage to an organization's reputation.
3. Environmental sabotage: Environmental sabotage can include acts of eco-terrorism, such as the
destruction of oil pipelines or logging equipment. These actions can have significant
environmental and economic consequences.
4. Intellectual property theft: Intellectual property theft can include the theft or destruction of
proprietary information or trade secrets. This can result in financial loss, loss of competitive
advantage, and damage to an organization's reputation.

Software attacks
Software attacks refer to cyberattacks that exploit vulnerabilities in software applications or systems to
gain unauthorized access, steal data, or disrupt operations. These attacks can have serious consequences
for individuals, organizations, and society as a whole. Here are some examples of software attacks:
 1. Malware: Malware refers to malicious software, such as viruses, worms, or trojans, that are
designed to infect a computer or network and perform unauthorized actions. Malware can be used
to steal sensitive data, disrupt operations, or gain unauthorized access to systems.
2. Phishing: Phishing attacks involve the use of social engineering techniques, such as fake emails
or websites, to trick individuals into divulging sensitive information, such as passwords or credit
card numbers. Phishing attacks can be used to gain access to sensitive systems or steal personal
information.
3. SQL injection: SQL injection attacks involve inserting malicious code into a website's database,
which can allow attackers to bypass authentication or gain access to sensitive data. SQL injection
attacks can be used to steal data, modify or delete data, or gain unauthorized access to systems.
4. Denial of service (DoS) attacks: DoS attacks involve flooding a target's servers with traffic to
overwhelm the system and prevent legitimate access. DoS attacks can be used to disrupt
operations or extort money from the target.

Technological obsolescence
Technological obsolescence refers to the state where technology becomes outdated or no longer useful
due to the emergence of newer, more advanced technologies. This can be a result of rapid technological
advancements, changing market demands, or shifts in consumer behavior. Technological obsolescence
can have significant consequences for individuals, organizations, and society as a whole. Here are some
examples of technological obsolescence:

1. Outdated hardware: Hardware devices, such as computers, smartphones, or other electronics, can
become obsolete as newer, more powerful devices are released. This can lead to decreased
productivity, increased costs, and difficulty in finding replacement parts.
2. Obsolete software: Software applications can become obsolete as newer versions are released or
as they are no longer supported by the vendor. This can lead to security vulnerabilities, decreased
functionality, and the inability to access or use certain files or applications.
3. Disruptive technologies: Disruptive technologies can render existing products or services obsolete
by offering new and more efficient solutions. For example, the emergence of ride-sharing apps
like Uber and Lyft disrupted the traditional taxi industry.
4. Changing market demands: Changes in consumer behavior or market demand can render certain
technologies or products obsolete. For example, the rise of streaming services has led to a decline
in the sales of physical media like DVDs and Blu-rays.

Theft
Theft is the act of taking someone else's property without their consent or permission. It is a crime that
can have significant consequences for individuals and organizations. Here are some examples of theft:

1. Physical theft: Physical theft involves stealing tangible items, such as money, jewelry, or
electronics. This can occur through burglary, robbery, or pickpocketing.
2. Identity theft: Identity theft involves stealing someone's personal information, such as their name,
social security number, or credit card information, to commit fraud or other crimes.
3. Intellectual property theft: Intellectual property theft involves stealing someone's creative work,
such as music, movies, or software, without their permission or without compensating them for
their work.
4. Cyber theft: Cyber theft involves stealing data or information from computer systems or
networks. This can include stealing financial information, personal data, or other sensitive
information.
Understand the terms in Intellectual Property
Intellectual property refers to creations of the mind, such as inventions, literary and artistic works,
designs, symbols, and names. Intellectual property is protected by law, and the term includes several
types of legal protection, including patents, trademarks, copyrights, and trade secrets. Here are some
common terms used in intellectual property:

1. Patent: A patent is a legal right granted to an inventor for a limited period of time, allowing them
to prevent others from making, using, or selling their invention without their permission.
2. Trademark: A trademark is a distinctive symbol, word, phrase, or design that identifies and
distinguishes the source of goods or services from those of others.
3. Copyright: A copyright is a legal right that gives the creator of a literary, artistic, or musical work
exclusive control over how their work is used and distributed.
4. Trade secret: A trade secret is confidential information that provides a competitive advantage to a
business, such as formulas, designs, and manufacturing processes.
5. Infringement: Infringement occurs when someone uses someone else's intellectual property
without their permission, which can include copying, distributing, or selling protected works.
6. Licensing: Licensing involves granting someone else the right to use your intellectual property
for a fee or other consideration.
7. Fair use: Fair use is a legal doctrine that allows for the limited use of copyrighted material
without the copyright owner's permission, such as for criticism, commentary, or news reporting.

List and describe the common development failures and errors that result from poor software
security efforts.

1. Injection Attacks: Insufficient input validation can lead to injection attacks like SQL injection or
cross-site scripting (XSS), allowing attackers to inject malicious code into the application.
2. Insecure Authentication and Authorization: Weak authentication mechanisms, improper
session management, or insufficient authorization controls can lead to unauthorized access and
privilege escalation.
3. Insecure Configuration: Failing to secure configurations properly, such as default passwords,
unnecessary services, or weak encryption settings, can create vulnerabilities.
4. Sensitive Data Exposure: Poorly implemented encryption or storage mechanisms can expose
sensitive data, leading to data breaches and privacy violations.
5. Security Misconfiguration: Incorrect security settings, permissions, and access controls can
expose sensitive functionality and data to unauthorized users.
6. Cross-Site Scripting (XSS): Inadequate validation of user-generated content can allow attackers
to inject malicious scripts, potentially compromising user data or sessions.
7. Broken Authentication: Flaws in authentication processes, like session fixation or weak
password hashing, can result in unauthorized access to user accounts.
8. Denial of Service (DoS) Attacks: Lack of input validation or resource throttling can make
applications vulnerable to DoS attacks that overwhelm systems and cause service disruption.
9. Insecure Deserialization: Improper handling of serialized data can lead to remote code
execution or data manipulation attacks.
10. Insufficient Logging and Monitoring: Inadequate logging and monitoring practices can make it
difficult to detect and respond to security incidents.
11. Vulnerable Third-Party Components: Using outdated or vulnerable libraries and frameworks
can introduce security weaknesses into applications.
12. Lack of Input Validation: Not properly validating input can lead to buffer overflows, command
injection, and other exploits.
13. Improper Error Handling: Poorly designed error messages can expose sensitive information or
provide clues to attackers about system vulnerabilities.
14. Insecure File Handling: Inadequate handling of uploaded files can lead to malicious file
execution or unauthorized access.
15. Weak Cryptography: Using weak encryption algorithms or not implementing encryption
correctly can compromise data confidentiality.
16. Social Engineering Vulnerabilities: Applications that don't implement proper security education
for users can become susceptible to phishing and other social engineering attacks.
 Republic of the Philippines
CAVITE STATE UNIVERSITY
CCAT Campus
Rosario, Cavite
 (046) 437-9505 /  (046) 437-6659
[email protected]
www.cvsu-rosario.edu.ph

LESSON 3

Legal, Ethical, and Professional Issues in Information Security

Law and Ethics in Information Security

Law and ethics play a crucial role in information security, as they help ensure that individuals and
organizations act in responsible and legal ways when dealing with sensitive information.

The laws that apply to information security can vary by country but generally include regulations
around data privacy, data protection, and cybersecurity. These laws typically outline the rights and
responsibilities of individuals and organizations when it comes to collecting, storing, processing, and
sharing information.

Ethics in information security, on the other hand, focuses on the moral and social implications of
how information is collected, used, and protected. This includes issues such as transparency,
accountability, fairness, and respect for individual privacy.

Some ethical principles that are relevant to information security include:

• Confidentiality: Ensuring that sensitive information is kept private and only shared with
authorized individuals or organizations.
• Integrity: Ensuring that information is accurate and reliable.
• Availability: Ensuring that information is available when it is needed.
• Responsibility: Taking responsibility for the security of information and ensuring that appropriate
measures are in place to protect it.
• Accountability: Being accountable for any breaches or violations of information security policies
or laws.

Codes of Ethics of Professional Organizations

Many professional organizations related to information security have established codes of ethics that
outline the ethical principles and standards of conduct that their members should follow. These codes
provide guidance on how to behave in various situations and promote professionalism and ethical
behavior within the industry.

Some examples of professional organizations with codes of ethics related to information security include:
 1. The International Association of Computer Science and Information Technology (IACSIT): This
organization has established a code of ethics that promotes the ethical use of computer science
and information technology for the benefit of society. The code emphasizes the importance of
honesty, integrity, and professionalism in all aspects of work related to information security.
2. The Information Systems Security Association (ISSA): This organization has established a code
of ethics that focuses on promoting ethical behavior and professionalism in the field of
information security. The code emphasizes the importance of protecting sensitive information,
respecting individual privacy, and adhering to legal and ethical standards.
3. The International Association of Privacy Professionals (IAPP): This organization has established
a code of ethics that promotes the ethical use of personal information and respect for individual
privacy. The code emphasizes the importance of transparency, accountability, and informed
consent in all aspects of information security.
4. The Cloud Security Alliance (CSA): This organization has established a code of ethics that
promotes ethical behavior and professionalism in the field of cloud security. The code emphasizes
the importance of maintaining the security and privacy of data in cloud environments and
adhering to legal and ethical standards.

Describe the functions of and relationships among laws, regulations, and professional organizations

Laws, regulations, and professional organizations all play important roles in regulating and promoting
ethical behavior in the field of information security.

Laws are formal rules that are enacted by governments to govern the behavior of individuals and
organizations. Laws related to information security, such as the General Data Protection Regulation
(GDPR) in the European Union or the California Consumer Privacy Act (CCPA) in the United States,
establish legal requirements and standards that must be followed to protect sensitive information.
Noncompliance with these laws can result in legal penalties, such as fines or legal action.

Regulations are rules that are established by regulatory agencies to implement and enforce laws.
Regulatory agencies, such as the Federal Trade Commission (FTC) in the United States or the
Information Commissioner's Office (ICO) in the United Kingdom, have the power to investigate and
enforce compliance with laws related to information security. These agencies may also establish
additional requirements and guidelines for organizations to follow to protect sensitive information.

Professional organizations are associations of individuals or companies in a particular industry, such as

the International Association of Computer Science and Information Technology (IACSIT) or the
Information Systems Security Association (ISSA). These organizations provide guidance and support for
professionals in the industry, establish ethical standards and codes of conduct, and offer professional
development opportunities. They may also advocate for laws and regulations that promote ethical
behavior and best practices in the field of information security.

The relationship between laws, regulations, and professional organizations is complex and interconnected.
Laws and regulations establish legal requirements and consequences for noncompliance, while
professional organizations establish ethical standards and provide guidance and support for individuals
and organizations in the industry. Professional organizations may also work to influence the development
of laws and regulations to ensure that they are effective and promote ethical behavior in the industry.
Overall, these three elements work together to promote responsible and ethical behavior in the field of
information security.
Describe the functions of and relationships among laws, regulations, and professional organizations
in information security
Laws, regulations, and professional organizations are all important in promoting responsible behavior and
regulating the information security industry.

Laws are formal rules that are established by governments to regulate the behavior of individuals and
organizations. Laws related to information security, such as the General Data Protection Regulation
(GDPR) in the European Union, establish legal requirements for protecting sensitive information and
ensure that organizations are held accountable for data breaches and other security incidents. Compliance
with these laws is mandatory and noncompliance can result in legal penalties.

Regulations are rules that are established by regulatory agencies to enforce and implement laws. In the
field of information security, regulatory agencies such as the Federal Trade Commission (FTC) in the
United States and the Information Commissioner's Office (ICO) in the United Kingdom are responsible
for investigating and enforcing compliance with laws related to information security. These agencies may
also establish additional requirements and guidelines for organizations to follow.

Professional organizations

The relationship between laws, regulations, and professional organizations is complex and interconnected.
Laws and regulations establish legal requirements and consequences for noncompliance, while
professional organizations establish ethical standards and provide guidance and support for individuals
and organizations in the industry. Professional organizations may also work to influence the development
of laws and regulations to ensure that they are effective and promote ethical behavior in the industry.

Some of the major national laws that affect the practice of information security include:

1. General Data Protection Regulation (GDPR) - Enacted by the European Union, the GDPR
establishes strict requirements for the collection, processing, and storage of personal data.
2. California Consumer Privacy Act (CCPA) - Enacted by the state of California, the CCPA
establishes privacy rights for California residents and requires businesses to disclose what
personal information they collect and how it is used.
3. Health Insurance Portability and Accountability Act (HIPAA) - Enacted in the United States,
HIPAA establishes standards for the privacy and security of healthcare information.
4. Federal Information Security Modernization Act (FISMA) - Enacted in the United States, FISMA
establishes requirements for federal agencies to secure and protect their information and
information systems.
5. Cybersecurity Information Sharing Act (CISA) - Enacted in the United States, CISA encourages
the sharing of cybersecurity information between private sector entities and the government to
improve overall cybersecurity.

There are several professional organizations in the Philippines that have codes of ethics related to
information security. Here are some of them:

• Information Security Officers Group Philippines (ISOGP) - ISOGP is a non-profit organization

that aims to promote and advance the field of information security in the Philippines. They have a
code of ethics that members are expected to abide by, which includes principles such as
 maintaining confidentiality, integrity, and availability of information, and being honest and
transparent in their dealings.
• Philippine Computer Emergency Response Team (PH-CERT) - PH-CERT is a public-private
partnership that aims to improve the country's cybersecurity posture. They have a code of ethics
that covers topics such as professional conduct, confidentiality, and ethical hacking practices.
• Philippine Society of Information Technology Educators (PSITE) - PSITE is an organization of
information technology educators in the Philippines. They have a code of ethics that emphasizes
the importance of honesty, integrity, and professionalism in the practice of information
technology.
• Philippine Society of Information Security Professionals (PSISP) - PSISP is a non-profit
organization that aims to promote the development and advancement of information security in
the Philippines. They have a code of ethics that outlines the ethical principles that their members
should uphold, such as respecting privacy and confidentiality, and avoiding conflicts of interest.
• In the Philippines, there are several laws that affect the practice of information security. Some of
the major national laws include:
• Data Privacy Act of 2012 (DPA) - This law is the primary legislation governing data protection in
the Philippines. It establishes the rights of data subjects and the obligations of data controllers and
processors in relation to the collection, use, storage, processing, and disposal of personal data.
• Cybercrime Prevention Act of 2012 - This law defines and penalizes cybercrime offenses, such as
hacking, cyber-squatting, and identity theft. It also established the Cybercrime Investigation and
Coordinating Center (CICC) to coordinate and monitor the implementation of the law.
• E-Commerce Act of 2000 - This law provides a legal framework for e-commerce activities in the
Philippines. It includes provisions for electronic contracts, digital signatures, and online consumer
protection.
• Anti-Photo and Video Voyeurism Act of 2009 - This law penalizes the unauthorized taking or
recording of photos or videos of a person's private parts, or of a person engaged in a sexual act.
• National Privacy Commission (NPC) Circulars - The NPC is the agency responsible for
implementing the DPA. It issues circulars to provide guidance on compliance with the law and to
establish rules and regulations for the protection of personal data.
 Republic of the Philippines
CAVITE STATE UNIVERSITY
CCAT Campus
Rosario, Cavite
 (046) 437-9505 /  (046) 437-6659
[email protected]
www.cvsu-rosario.edu.ph

LESSON 4

Planning for Security

Information Security Planning and Governance

Information security planning and governance are crucial aspects of any organization's overall security
strategy. They involve developing a comprehensive plan to protect the organization's information assets
and establishing the necessary policies, procedures, and structures to ensure effective security
management. Here are some key elements of information security planning and governance:

1. Risk Assessment: Conducting a thorough risk assessment is the foundation of information

security planning. It involves identifying and evaluating potential risks and vulnerabilities to
the organization's information assets. This assessment helps prioritize security measures and
allocate resources effectively.
2. Security Policies and Procedures: Developing and implementing security policies and
procedures is essential for maintaining a secure environment. These policies define
acceptable use, data classification, access controls, incident response, and other security-
related practices. Procedures outline step-by-step instructions for implementing and enforcing
these policies.
3. Security Organization and Roles: Establishing clear lines of responsibility and accountability
is critical. Define the roles and responsibilities of individuals and teams responsible for
information security, such as security officers, administrators, and incident response teams.
This ensures that security tasks are assigned and executed effectively.
4. Compliance and Legal Requirements: Information security planning should consider relevant
legal and regulatory requirements specific to the organization's industry. Ensure compliance
with standards such as the General Data Protection Regulation (GDPR), Health Insurance
Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard
(PCI DSS), and others applicable to your organization.
5. Security Awareness Training: Educating employees about security risks and best practices is
vital for maintaining a secure environment. Conduct regular security awareness training
sessions to promote a culture of security and provide employees with the knowledge and
skills to identify and respond to security threats.
6. Incident Response and Business Continuity: Develop an incident response plan to handle
security incidents effectively. This plan should outline the steps to be taken in the event of a
security breach, including incident identification, containment, eradication, and recovery.
 Additionally, establish business continuity and disaster recovery plans to minimize the impact
of disruptions and ensure the organization can continue its operations.
7. Security Audits and Assessments: Regularly assess and evaluate the effectiveness of your
security measures through internal and external audits. These audits help identify
vulnerabilities, gaps in security controls, and areas for improvement. Conduct penetration
testing, vulnerability assessments, and security audits to validate the security posture of your
systems.
8. Monitoring and Incident Detection: Implement robust monitoring and detection mechanisms
to identify and respond to security incidents in real-time. This may include intrusion detection
and prevention systems (IDS/IPS), security information and event management (SIEM)
solutions, and log analysis tools to monitor network traffic, system logs, and other security
events.
9. Security Governance Framework: Establish a security governance framework that defines the
overall approach to information security and provides guidance for decision-making and
resource allocation. This framework should align with industry best practices and standards,
and it should be regularly reviewed and updated to adapt to emerging threats and
technologies.
10. Continuous Improvement: Information security planning and governance are iterative
processes. Continuously monitor and reassess your security posture, staying informed about
the latest threats and vulnerabilities. Regularly update policies and procedures, conduct
security awareness programs, and adapt security measures to address evolving risks.

Information Security Policy, Standards, and Practices

Information security policy, standards, and practices are key components of an organization's information
security framework. They provide the guidelines and procedures necessary to protect sensitive
information and ensure the confidentiality, integrity, and availability of data. Let's explore each of these
elements in more detail:
1. Information Security Policy: An information security policy is a high-level document that outlines
the organization's overall approach to information security. It establishes the management's
commitment to protecting information assets and sets the direction for security initiatives. The
policy should address key areas such as data classification, access controls, incident response,
acceptable use of resources, and compliance with relevant laws and regulations.
2. Information Security Standards: Information security standards are more detailed and specific
guidelines that support the policy. They define the technical and operational requirements that
must be followed to achieve compliance with the policy. Standards cover various areas such as
password management, network security, encryption, physical security, software development,
and system configuration. Compliance with these standards ensures consistency and uniformity
across the organization's security practices.
3. Security Practices and Procedures: Security practices and procedures provide the step-by-step
instructions for implementing the security policy and standards. These documents outline specific
actions to be taken in various security-related scenarios, such as incident response procedures,
change management processes, user access provisioning, and vulnerability management. Well-
defined practices and procedures help ensure that security controls are consistently applied and
enable effective response to security incidents.
 4. Access Controls: Access control practices govern the management of user accounts and
permissions within the organization's systems and networks. They include practices such as user
provisioning and deprovisioning, strong authentication mechanisms (e.g., multi-factor
authentication), access rights management, and segregation of duties. These controls ensure that
only authorized individuals have access to sensitive information and systems.
5. Data Protection and Privacy: Practices related to data protection and privacy are crucial for
safeguarding sensitive information. These practices include data classification and labeling,
encryption, data retention and disposal, data backup and recovery, and privacy controls. By
implementing these practices, organizations can protect sensitive data from unauthorized access,
loss, or disclosure.
6. Incident Response: Incident response practices and procedures define the steps to be taken when a
security incident occurs. They include incident identification, reporting, containment,
investigation, eradication, and recovery. Incident response plans should be regularly tested and
updated to ensure an effective and coordinated response to security incidents.
7. Security Awareness and Training: Security awareness and training programs educate employees
about security risks, policies, and best practices. These programs aim to foster a security-
conscious culture within the organization and empower employees to identify and respond to
security threats. Training may cover topics such as phishing awareness, social engineering,
password hygiene, secure remote work, and handling sensitive information.
8. Security Monitoring and Auditing: Security monitoring practices involve the continuous
monitoring of systems, networks, and applications to detect security incidents and anomalies.
This may include log monitoring, intrusion detection and prevention systems, security
information and event management (SIEM) solutions, and real-time alerts. Regular security
audits and assessments help identify vulnerabilities, measure compliance with security policies
and standards, and validate the effectiveness of security controls.
9. Change Management: Change management practices ensure that changes to systems,
applications, or configurations are implemented in a controlled and secure manner. These
practices include a defined change management process, testing and validation procedures,
documentation, and approvals. By following change management practices, organizations can
minimize the risk of introducing vulnerabilities or disruptions through unauthorized or poorly
managed changes.
10. Security Incident Reporting and Communication: Practices related to incident reporting and
communication establish clear channels for reporting security incidents and disseminating
information within the organization. This may include incident reporting procedures, incident
escalation protocols, communication plans for notifying affected parties, and coordination with
external stakeholders, such as law enforcement or regulatory authorities.

Continuity Strategies

Continuity strategies, also known as business continuity strategies, refer to the plans and approaches
organizations use to ensure the continued operation of critical business functions and minimize
disruptions during and after an unexpected event or crisis. These strategies aim to maintain essential
services, protect assets, and enable the organization to recover effectively. Here are some common
continuity strategies:
1. Business Impact Analysis (BIA): Conduct a business impact analysis to identify critical
business functions, processes, and dependencies. This analysis helps prioritize the allocation
of resources and determines the maximum acceptable downtime for each function.
2. Risk Assessment and Management: Perform a thorough risk assessment to identify potential
threats and vulnerabilities that could disrupt operations. Develop risk management strategies
to mitigate or minimize these risks. This may include implementing preventive controls,
redundancy measures, and disaster recovery solutions.
3. Backup and Recovery: Implement robust backup and recovery procedures to ensure the
availability and integrity of critical data and systems. This includes regular backups, offsite
storage, and periodic testing of the restoration process.
4. Redundancy and Resilience: Build redundancy into critical systems and infrastructure to
ensure alternative means of operation in the event of a failure. This may involve redundant
servers, network connections, power sources, or geographically distributed data centers.
Redundancy helps minimize single points of failure and increases system resilience.
5. Emergency Response and Incident Management: Develop and implement emergency
response plans to address immediate threats and incidents. Define roles, responsibilities, and
communication channels to enable a coordinated response during emergencies. This includes
incident assessment, containment, communication with stakeholders, and escalation
procedures.
6. Remote Work and Telecommuting: Establish the infrastructure and policies necessary to
support remote work and telecommuting during disruptive events. This may include
providing employees with remote access to essential systems, ensuring the security of remote
connections, and enabling effective communication and collaboration.
7. Alternative Facilities and Workspaces: Identify alternative facilities or workspaces that can be
used in case of a disruption to the primary workplace. This may involve prearranged
agreements with third-party providers or establishing temporary or mobile workstations.
8. Vendor and Supplier Management: Assess the criticality of vendors and suppliers to the
organization's operations and establish contingency plans for potential disruptions in their
services. Maintain alternative supplier relationships or develop backup plans to ensure the
availability of critical resources or services.
9. Training and Awareness: Conduct regular training and awareness programs to educate
employees about their roles and responsibilities during a disruption. Ensure employees are
familiar with the continuity strategies, emergency procedures, and their specific duties.
10. Testing and Exercising: Regularly test and exercise the continuity strategies through tabletop
exercises, simulations, or full-scale drills. These exercises help identify gaps, validate the
effectiveness of plans and procedures, and improve the organization's response capabilities.
 Republic of the Philippines
CAVITE STATE UNIVERSITY
CCAT Campus
Rosario, Cavite
 (046) 437-9505 /  (046) 437-6659
[email protected]
www.cvsu-rosario.edu.ph

LESSON 5

Risk Management

Define risk management, risk identification, risk assessment, and risk control
Risk management is a systematic process that involves identifying, assessing, and controlling risks to
minimize potential negative impacts on an organization's objectives. It is an essential practice for
businesses and other entities to proactively address uncertainties and potential threats that could hinder
the achievement of their goals.
1. Risk Identification: This is the initial step in the risk management process, where risks are
identified and documented. The goal is to create a comprehensive list of potential risks that
the organization may face. Risks can arise from various sources, such as financial
uncertainties, operational issues, strategic decisions, legal and regulatory changes, natural
disasters, technological failures, and more. By systematically identifying risks, organizations
can ensure that no significant threats are overlooked.
2. Risk Assessment: Once risks are identified, a risk assessment is conducted to evaluate their
potential impact and likelihood of occurrence. This step involves analyzing and prioritizing
risks based on their severity and probability. The severity refers to the potential consequences
of a risk event, while the probability indicates the likelihood of the risk occurring. This
assessment helps organizations understand the most critical risks they face and enables them
to allocate resources appropriately to address them.
3. Risk Control: After assessing risks, organizations develop and implement strategies to control
and mitigate them. This involves developing risk control measures and implementing risk
management plans. Risk control strategies can include risk avoidance (eliminating activities
that carry high risks), risk reduction (implementing measures to minimize the likelihood or
impact of risks), risk transfer (shifting the risk to another party through contracts or
insurance), and risk acceptance (acknowledging the risk and its potential consequences
without taking specific actions).

Define risk appetite and explain how it relates to residual risk

Risk appetite refers to the amount and type of risk that an organization is willing to accept or tolerate in
pursuit of its objectives. It represents the level of risk that an organization is prepared to take on in order
to achieve its desired outcomes. Risk appetite is often defined and established by senior management and
the board of directors, and it reflects the organization's risk culture, values, and strategic priorities.
The concept of risk appetite is closely related to residual risk. Residual risk refers to the level of risk that
remains after risk mitigation measures have been implemented. It represents the amount of risk that an
organization is exposed to despite its risk management efforts. Residual risk can arise due to various
factors, such as incomplete risk control measures, uncertainties, external events, or limitations in
resources or capabilities.
The relationship between risk appetite and residual risk can be understood as follows:
1. Risk Appetite Setting: Organizations establish their risk appetite by defining the acceptable
level of risk exposure within the context of their objectives and risk tolerance. This involves
considering factors such as the organization's risk capacity (the ability to absorb and manage
risks), strategic goals, regulatory requirements, stakeholder expectations, and industry norms.
The risk appetite statement provides guidance to decision-makers throughout the organization
on the acceptable boundaries of risk-taking.
2. Risk Assessment and Mitigation: Risk assessment helps identify and evaluate risks, and risk
mitigation measures are implemented to reduce the identified risks to an acceptable level.
These measures can include controls, safeguards, policies, procedures, and other risk
management actions. The aim is to bring the level of risk within the defined risk appetite by
reducing the likelihood and impact of potential risk events.
3. Residual Risk Evaluation: After implementing risk mitigation measures, the residual risk is
assessed. This involves evaluating the remaining risk exposure and comparing it against the
established risk appetite. If the residual risk exceeds the defined risk appetite, additional risk
management actions may be required to further reduce the risk or reconsider the
organization's risk tolerance.

Discuss conceptual frameworks for evaluating risk controls and formulate a cost-benefit analysis.

Conceptual frameworks for evaluating risk controls provide a structured approach to assess the
effectiveness of risk management measures and determine their value in mitigating risks. These
frameworks help organizations make informed decisions regarding the implementation or improvement of
controls by considering their costs and benefits. One such framework is the cost-benefit analysis.
1. Cost-Benefit Analysis: Cost-benefit analysis is a systematic approach to evaluate the financial and
non-financial costs and benefits associated with risk controls. It involves comparing the expected
costs of implementing and maintaining the controls against the anticipated benefits or value they
provide in reducing risks. The analysis aims to determine whether the benefits outweigh the costs
and if the controls are justifiable from a cost-effectiveness standpoint.
The steps involved in conducting a cost-benefit analysis for risk controls are as follows:
a. Identify and Quantify Costs: Identify all the costs associated with implementing and
maintaining the risk controls. This includes direct costs (e.g., capital investments, operational
expenses, training) and indirect costs (e.g., opportunity costs, resource reallocation). Quantify
these costs as accurately as possible to obtain a comprehensive view of the financial impact.
b. Identify and Quantify Benefits: Identify and quantify the benefits that can be achieved through
the implementation of risk controls. These benefits can include reductions in financial losses,
improved operational efficiency, enhanced safety, regulatory compliance, reputation protection,
and other positive outcomes. Assign a value to each benefit, either monetarily or qualitatively, to
facilitate comparison with the costs.
c. Timeframe and Discounting: Consider the timeframe over which the costs and benefits will
occur. Future costs and benefits should be discounted to account for the time value of money.
This helps in determining the present value of the costs and benefits and ensures a fair
comparison between different time periods.
d. Calculate Net Present Value (NPV): Calculate the net present value by subtracting the
discounted costs from the discounted benefits. A positive NPV indicates that the benefits
outweigh the costs, suggesting that the risk controls are financially viable.
e. Sensitivity Analysis: Perform a sensitivity analysis to assess the impact of changes in key
assumptions or variables. This helps identify the factors that have the most significant influence
on the cost-benefit analysis outcomes and provides insights into the robustness of the analysis.
f. Decision Making: Based on the cost-benefit analysis results, organizations can make informed
decisions regarding the implementation, modification, or elimination of risk controls. Controls
with a positive NPV are generally considered favorable, while those with a negative NPV may
need reconsideration.
 Republic of the Philippines
CAVITE STATE UNIVERSITY
CCAT Campus
Rosario, Cavite
 (046) 437-9505 /  (046) 437-6659
[email protected]
www.cvsu-rosario.edu.ph

LESSON 7

Security Technology

Discuss the role of access control in information systems, and identify and discuss the four
fundamental functions of access control systems

Access control plays a crucial role in information systems by ensuring the confidentiality, integrity, and
availability of data and resources. It is a security mechanism that allows organizations to manage and
regulate access to their digital assets, such as databases, files, networks, and applications. By
implementing access control systems, organizations can protect sensitive information, prevent
unauthorized access, and enforce security policies.
The four fundamental functions of an access control system are as follows:

• Identification: This function involves the unique identification of individuals or entities seeking
access to the system. It typically involves the use of unique identifiers such as usernames,
employee IDs, or digital certificates. Identification establishes the user's identity within the
system, enabling further access control processes.
• Authentication: Authentication is the process of verifying the claimed identity of a user. It ensures
that the individual or entity requesting access is indeed who they claim to be. Common
authentication methods include passwords, biometrics (fingerprint or iris scans), smart cards, or
two-factor authentication (combining two different authentication factors).
• Authorization: Once a user has been authenticated, authorization determines the level of access or
actions the user is allowed within the system. It involves granting appropriate permissions based
on predefined policies, roles, or access control lists (ACLs). Authorization ensures that users have
access only to the resources and functions they are authorized to use.
• Accountability: Accountability involves tracking and logging user activities within the system. It
enables organizations to monitor user actions, detect any unauthorized or malicious activities, and
establish a trail of responsibility. Accountability is vital for auditing, incident response, and
compliance purposes, as it provides a record of who accessed what, when, and from where.
Describe firewall technologies, various categories of firewalls, and the various approaches to
firewall implementation
A firewall is a network security device that acts as a barrier between an internal network and external
networks, such as the Internet. It monitors and controls incoming and outgoing network traffic based on
predetermined security rules, helping to protect the network from unauthorized access, malicious
activities, and potential threats.
There are several categories of firewalls commonly used in network security:

• Packet Filtering Firewall: This type of firewall examines individual packets of network traffic
based on predefined rules. It filters packets based on information such as source and destination
IP addresses, port numbers, and protocols. Packet filtering firewalls are generally fast and
efficient but offer limited capabilities to inspect the content of packets.
• Stateful Inspection Firewall: Stateful firewalls keep track of the state of network connections.
They not only examine individual packets but also maintain information about the state of
ongoing connections. This allows them to make more informed decisions about allowing or
blocking packets based on the context of the connection. Stateful inspection firewalls provide
better security than packet filtering firewalls and can prevent certain types of attacks, such as IP
spoofing and session hijacking.
• Application-Level Firewall: Application-level firewalls operate at the application layer of the
network stack and can monitor traffic at a higher level, understanding the content and context of
application protocols. They can enforce security policies based on specific application protocols
and perform deep packet inspection to detect and prevent application-level threats. Application-
level firewalls offer enhanced security for specific applications but may introduce higher
processing overhead.
• Next-Generation Firewall (NGFW): NGFWs combine the features of traditional firewalls with
additional security capabilities, such as intrusion prevention, deep packet inspection, SSL/TLS
inspection, and application awareness. NGFWs provide more advanced threat detection and
prevention mechanisms, including the ability to identify and block sophisticated attacks and
malware.
In terms of implementation approaches, there are different ways to deploy firewalls in a network:

• Network-based Firewalls: These firewalls are deployed at network boundaries, such as between
an internal network and the Internet. They protect the entire network by filtering traffic based on
predefined rules. Network-based firewalls are typically hardware appliances or software solutions
installed on dedicated servers.
• Host-based Firewalls: Host-based firewalls are installed on individual computers or servers. They
provide protection at the endpoint level, controlling inbound and outbound network traffic for
specific hosts. Host-based firewalls are useful in situations where fine-grained control over
network traffic is required, such as in laptops or servers.
• Virtual Firewalls: Virtual firewalls operate in virtualized environments and provide network
security within virtual networks or cloud infrastructure. They help protect virtual machines and
virtualized network segments by controlling traffic between virtual machines and external
networks.
• Cloud-based Firewalls: Cloud-based firewalls are firewall services provided by cloud service
providers. They are deployed and managed within the cloud infrastructure to protect cloud-based
 resources and applications. Cloud-based firewalls can be centrally managed, and scalable, and
offer additional features specific to cloud environments.

Describe virtual private networks (VPNs) and discuss the technology that enables them.

A virtual private network (VPN) is a technology that enables secure and private communication over
public networks, such as the Internet. It creates a secure and encrypted connection between the user's
device and a remote server or network, allowing users to access resources and transmit data as if they
were directly connected to the private network.
The technology that enables VPNs is based on a combination of encryption, tunneling, and authentication
mechanisms. Here's a breakdown of these components:

• Encryption: Encryption is a crucial aspect of VPN technology. It ensures that data transmitted
over the public network is secure and protected from unauthorized access. VPNs use
cryptographic protocols to encrypt the data, making it unreadable to anyone who intercepts it.
Common encryption protocols used in VPNs include Secure Socket Layer (SSL) and Transport
Layer Security (TLS) for securing web-based communications, as well as IPsec (Internet Protocol
Security) for securing IP-based communications.
• Tunneling: Tunneling is the process of encapsulating the original data within another packet or
protocol to create a secure connection. In the context of VPNs, tunneling protocols are used to
establish a private "tunnel" between the user's device and the VPN server or network. This
encapsulated data is then transmitted over the public network. Examples of tunneling protocols
used in VPNs include Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol
(L2TP), and Internet Key Exchange version 2 (IKEv2).
• Authentication: Authentication ensures that both ends of the VPN connection can verify each
other's identities. It prevents unauthorized access to the VPN network. Typically, authentication
mechanisms involve the use of usernames, passwords, digital certificates, or two-factor
authentication. Authentication protocols like Remote Authentication Dial-In User Service
(RADIUS) and Lightweight Directory Access Protocol (LDAP) are commonly used in VPN
deployments.
When a user initiates a VPN connection, their device establishes a secure connection to the VPN server or
network. The user's device encrypts the data and encapsulates it within a tunneling protocol. The
encrypted data is then transmitted through the public network to the VPN server. At the server end, the
encrypted data is decrypted, and the original data is forwarded to the destination network or resource.
This process ensures that the data remains secure and private throughout the transmission.
VPNs offer several benefits, including:

• Security: VPNs provide a secure channel for transmitting data over public networks, protecting it
from eavesdropping, data interception, and unauthorized access.
• Privacy: By encrypting data, VPNs ensure user privacy by preventing ISPs, governments, or other
entities from monitoring or tracking online activities.
• Remote Access: VPNs enable remote users to securely connect to corporate networks or access
resources as if they were physically present on-site.
• Bypassing Restrictions: VPNs can help bypass geo-restrictions and censorship by masking the
user's IP address and providing access to content or services that may be restricted in certain
regions.
 Republic of the Philippines
CAVITE STATE UNIVERSITY
CCAT Campus
Rosario, Cavite
 (046) 437-9505 /  (046) 437-6659
[email protected]
www.cvsu-rosario.edu.ph

LESSON 8

Crytography

Identify and describe the categories and models of intrusion detection and prevention systems

Intrusion Detection and Prevention Systems (IDPS) are security tools designed to detect and respond to
malicious activities within computer networks. There are several categories and models of IDPS, each
with its own approach to detecting and preventing intrusions. Here are some commonly recognized
categories and models:

• Network-based Intrusion Detection Systems (NIDS): NIDS monitors network traffic in real-
time and analyzes packets to identify suspicious or malicious activities. They can detect
various types of attacks, such as port scanning, denial-of-service (DoS) attacks, and
unauthorized access attempts.
• Host-based Intrusion Detection Systems (HIDS): HIDS are installed on individual hosts or
servers to monitor their activity and detect signs of compromise. These systems examine
system logs, file integrity, registry changes, and other host-specific events to identify
potential intrusions or unauthorized activities.
• Network Behavior Analysis (NBA): NBA systems monitor network traffic patterns and
behavior to identify anomalies and deviations from normal behavior. They analyze network
flows, bandwidth usage, and protocols to detect any unusual activity that may indicate a
security breach.
• Signature-based Intrusion Detection Systems (SIDS): SIDS utilize a database of known attack
signatures to identify and block malicious activities. They compare network or host data
against a signature database, and if a match is found, an alarm is triggered, and appropriate
action is taken.
• Anomaly-based Intrusion Detection Systems (AIDS): AIDS detect intrusions by analyzing
network or host behavior and identifying deviations from established baselines. These
systems create profiles of normal activity and then alert administrators when behavior outside
the expected patterns is detected.
• Hybrid Intrusion Detection Systems (HIDS): Hybrid IDS combine the capabilities of multiple
detection methods, such as signature-based and anomaly-based detection, to provide a more
comprehensive approach to intrusion detection. They leverage the strengths of different
models to improve detection accuracy and reduce false positives.
 It's worth noting that some IDPS may also incorporate intrusion prevention capabilities, allowing
them to actively respond and block detected threats. These systems can employ techniques like blocking
IP addresses, terminating network connections, or reconfiguring firewall rules to mitigate the impact of an
ongoing attack.

Describe the detection approaches employed by modern intrusion detection and prevention systems

Modern intrusion detection and prevention systems (IDPS) employ various detection approaches to
identify and respond to malicious activities. Here are some commonly used detection approaches:
1. Signature-based Detection: Signature-based detection relies on a database of known attack
signatures or patterns. The IDPS compares network traffic or host behavior against these
signatures to identify known threats. If a match is found, an alarm is triggered. Signature-
based detection is effective against known attacks but may struggle with detecting new or
unknown threats.
2. Anomaly-based Detection: Anomaly-based detection focuses on identifying deviations from
normal behavior. The IDPS establishes a baseline of normal network or host activity and
continuously monitors for any anomalies. This approach can detect previously unseen attacks
but may also generate false positives if legitimate activities deviate from the established
baseline.
3. Heuristic Detection: Heuristic detection involves the use of rules or algorithms to identify
suspicious patterns or behaviors. These rules are based on general guidelines of what might
indicate an attack. Heuristic detection can be effective in detecting previously unseen threats
and zero-day attacks. However, it can also generate false positives if the rules are overly
sensitive or not properly tuned.
4. Behavioral Analysis: Behavioral analysis focuses on monitoring and analyzing the behavior
of network users or systems to identify malicious activities. The IDPS tracks user activities,
network flows, system calls, and other indicators to detect any deviations from expected
behavior. Behavioral analysis can detect insider threats, advanced persistent threats (APTs),
and other sophisticated attacks that may not trigger signature-based or anomaly-based
detection.
5. Machine Learning (ML) and Artificial Intelligence (AI): Modern IDPS systems are
increasingly leveraging machine learning and artificial intelligence techniques. ML
algorithms analyze large amounts of data to identify patterns and anomalies that may indicate
attacks. These algorithms can adapt and learn from new data to improve detection accuracy
over time. ML and AI-based IDPS can effectively detect unknown threats, detect subtle attack
patterns, and reduce false positives.
6. Reputation-based Detection: Reputation-based detection relies on reputation services or threat
intelligence feeds to assess the reputation of IP addresses, domains, or files. The IDPS
compares incoming traffic against known malicious entities or blacklists to identify
potentially dangerous activity. Reputation-based detection can quickly block traffic from
known malicious sources, but it may miss new or emerging threats that have not yet been
classified.
Define and describe honeypots, honeynets, and padded cell systems.

Let's define and describe honeypots, honeynets, and padded cell systems:
• Honeypots: Honeypots are decoy systems or resources intentionally designed to attract and
deceive potential attackers. They are typically isolated and separate from the production network
and contain simulated vulnerabilities or enticing data to lure attackers. The main purpose of
honeypots is to gather information about the tactics, techniques, and motives of attackers,
allowing organizations to study and analyze their behavior. Honeypots can be classified into two
types:
o Production Honeypots: These are deployed within the production network to resemble
real systems or services. They help detect and divert attacks away from critical assets
while gathering information about the attacker's activities.
o Research Honeypots: These are deployed specifically for research and analysis purposes,
often in controlled environments. They aim to gain a deeper understanding of the
attacker's methods, tools, and motivations.
• Honeynets: Honeynets are more extensive and comprehensive versions of honeypots. They are
entire networks that simulate a realistic production environment, including various interconnected
systems, services, and resources. Honeynets provide a broader attack surface and offer a more
comprehensive view of attacker behavior. They allow researchers to capture and analyze attacks
across multiple systems and gain insights into the tactics and techniques used by attackers.
Honeynets are typically isolated from the production network to ensure that any compromise does
not affect critical assets.
• Padded Cell Systems: Padded cell systems, also known as sandbox environments, provide a
controlled and isolated environment where potentially malicious software or files can be executed
and analyzed safely. These systems simulate the execution environment of the target system but
with limited access and restricted privileges. Padded cell systems are used to analyze and study
the behavior of malware, identify its capabilities, and understand its potential impact. By
confining the malware within the sandbox, organizations can protect their production
environment from potential harm.
Padded cell systems employ various techniques such as virtualization, emulation, or containerization to
create a secure and controlled environment for executing suspicious files or applications. They often have
advanced monitoring and analysis capabilities to capture and analyze the behavior of the executed
software, including network activity, system calls, file modifications, and more. The insights gained from
padded cell systems help organizations improve their understanding of emerging threats, develop
effective countermeasures, and enhance their overall security posture.

Explain the basic principles of cryptography

The basic principles of cryptography revolve around the concepts of confidentiality, integrity,
authentication, and non-repudiation. Cryptography is the practice of securing communication and data by
transforming it into an unreadable form using encryption techniques. The following principles form the
foundation of cryptography:
1. Confidentiality: Confidentiality ensures that information remains hidden from unauthorized
individuals or entities. Cryptographic algorithms and techniques, such as encryption, are used
 to convert plaintext (readable data) into ciphertext (encrypted data). Only authorized parties
with the appropriate decryption keys can convert the ciphertext back into plaintext, thus
ensuring confidentiality.
2. Integrity: Integrity ensures that data remains unchanged and unaltered during transmission or
storage. Cryptographic mechanisms, such as cryptographic hashes or message authentication
codes (MACs), are employed to verify the integrity of data. By generating a unique hash or
MAC for a given set of data, any alterations or modifications to the data can be detected.
3. Authentication: Authentication ensures the verification of the identity of communicating
parties. Cryptographic protocols, such as digital signatures, are used to establish the
authenticity and integrity of digital documents or messages. Digital signatures are created
using the private key of a sender and can be verified using the corresponding public key. This
process helps ensure that the message or document originates from the claimed sender and
has not been tampered with during transit.
4. Non-Repudiation: Non-repudiation prevents individuals from denying their involvement or
actions in a communication or transaction. Cryptographic techniques, such as digital
signatures and certificates, provide non-repudiation by providing proof of origin and integrity.
A digitally signed message or document can be independently verified using the sender's
public key, ensuring that the sender cannot deny their involvement.
5. Key Management: Key management is an essential aspect of cryptography. Encryption and
decryption rely on the use of cryptographic keys. Cryptographic systems use symmetric keys
(shared secret keys) or asymmetric keys (public-private key pairs) for encryption and
decryption processes. Key management involves generating, distributing, storing, and
revoking keys securely to ensure the confidentiality and integrity of encrypted data.
6. Cryptographic Algorithms: Cryptographic algorithms form the mathematical foundations of
cryptography. They define the specific mathematical operations and transformations used for
encryption, decryption, hashing, and other cryptographic processes. Cryptographic algorithms
can be categorized into symmetric-key algorithms (e.g., AES, DES) and asymmetric-key
algorithms (e.g., RSA, ECC). These algorithms provide the mathematical framework for
implementing confidentiality, integrity, authentication, and non-repudiation.

Describe the operating principles of the most popular cryptographic tools

There are several popular cryptographic tools and algorithms used in various applications. Here, I'll
describe the operating principles of some of the most widely used cryptographic tools:
1. Advanced Encryption Standard (AES): AES is a symmetric-key encryption algorithm widely
adopted as the successor to the Data Encryption Standard (DES). It operates on fixed-size
blocks of data and uses a symmetric key for both encryption and decryption. AES supports
key sizes of 128, 192, and 256 bits. It employs substitution-permutation network (SPN)
architecture, which involves multiple rounds of substitution, permutation, and mixing
operations to provide strong security. AES is widely used in securing sensitive data, such as
in data storage, network communications, and secure messaging.
2. RSA: RSA is an asymmetric-key algorithm that provides encryption, decryption, digital
signatures, and key exchange capabilities. It relies on the mathematical properties of large
prime numbers and the computational difficulty of factoring large numbers. RSA uses a
public-private key pair, where the public key is used for encryption and verification, and the
private key is used for decryption and signing. The security of RSA is based on the difficulty
 of factoring large composite numbers. RSA is commonly used in secure email, SSL/TLS, and
other applications requiring secure key exchange or digital signatures.
3. Diffie-Hellman Key Exchange: Diffie-Hellman (DH) is a key exchange protocol that enables
two parties to establish a shared secret key over an insecure channel. It is an asymmetric
algorithm that allows parties to agree upon a shared secret without transmitting the key
directly. DH is based on the computational difficulty of solving the discrete logarithm
problem. The protocol involves exchanging public values and performing mathematical
calculations to derive the shared secret key. Diffie-Hellman is widely used in establishing
secure communication channels, such as in SSL/TLS and VPNs.
4. Secure Hash Algorithms (SHA): The Secure Hash Algorithms, such as SHA-1, SHA-256, and
SHA-3, are cryptographic hash functions used to ensure data integrity and produce fixed-size
hash values. These algorithms take input data and generate a hash value of a fixed length. The
resulting hash is unique to the input data, and even a small change in the input produces a
significantly different hash value. SHA algorithms are widely used for password storage,
digital signatures, integrity verification, and data integrity checks.
5. Secure Sockets Layer/Transport Layer Security (SSL/TLS): SSL/TLS protocols provide
secure communication over the Internet by encrypting data transmitted between clients and
servers. These protocols use a combination of symmetric-key and asymmetric-key
encryption, digital certificates, and key exchange mechanisms. SSL/TLS ensures
confidentiality, integrity, and authenticity of data exchanged between parties. They are
commonly used in secure websites (HTTPS), email encryption (S/MIME), and other
applications requiring secure communication.

List and explain the major protocols used for secure

There are several major protocols used for secure communication and data transfer. Here are some of the
most widely adopted protocols:
1. Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS): SSL and TLS
are cryptographic protocols that provide secure communication over networks, typically the
internet. They establish an encrypted connection between a client and a server, ensuring the
confidentiality and integrity of the data transmitted. SSL and TLS protocols use a
combination of asymmetric-key and symmetric-key encryption, digital certificates, and key
exchange mechanisms to secure the communication. They are commonly used in secure
websites (HTTPS), email encryption (S/MIME), virtual private networks (VPNs), and other
applications requiring secure communication.
2. Internet Protocol Security (IPsec): IPsec is a suite of protocols that provide security services
at the IP layer of the network stack. It enables secure communication and data transfer
between network devices. IPsec can operate in two main modes: Transport mode and Tunnel
mode. In Transport mode, only the data payload is encrypted, while in Tunnel mode, the
entire IP packet is encapsulated and encrypted. IPsec provides authentication, data integrity,
and encryption, making it suitable for securing virtual private networks (VPNs), site-to-site
communication, and remote access connections.
3. Secure Shell (SSH): SSH is a network protocol used for secure remote login and secure file
transfer. It provides encrypted communication and secure authentication between a client and
a server. SSH uses asymmetric-key encryption to establish a secure connection and
 symmetric-key encryption for data transmission. SSH ensures secure remote administration,
remote command execution, and secure file transfers (SFTP/SCP) over an insecure network.
4. Pretty Good Privacy (PGP) and GNU Privacy Guard (GPG): PGP and GPG are protocols and
software implementations used for email encryption and digital signatures. They utilize
asymmetric-key encryption and digital signatures to provide confidentiality and integrity of
email communication. PGP and GPG allow users to encrypt and decrypt messages, as well as
digitally sign messages to verify authenticity and non-repudiation. They are widely used for
secure email communication and data protection.
5. Secure File Transfer Protocol (SFTP): SFTP is a protocol that enables secure file transfer over
a network. It combines the features of the traditional File Transfer Protocol (FTP) with the
security of SSH. SFTP provides encrypted data transmission and authentication using SSH's
secure channel. It is commonly used for secure file transfers and remote file management.