Information Security

Fundamentals
BSIT
Course Code – CS-223
Introduction
• Computer security began immediately after the first mainframes
were developed
– Groups developing code-breaking computations during World War II
created the first modern computers
– Multiple levels of security were implemented
• Physical controls to limit access to sensitive military locations to
authorized personnel
• Rudimentary in defending against physical theft, espionage, and
sabotage
History of Information
Security
Key Dates in Information
Security
Date Document
1968 Maurice Wilkes discusses password security in Time - Sharing Computer Systems.
Willis H. Ware author the report Security Controls for Computer Systems: Report of
Defense Science Board Task Force on Computer Security—RAND R.609 which
1970
was not declassified until 1979. I became known as the seminal work identifying
the need for computer Security.
Schell, Downey, and Popek examine the need for additional security in military
1973 systems in Preliminary Notes on the Design of Secure Military Computer Systems.
The Federal Information Processing Standards (FIPS) examines DES (Digital
1975 Encryption Standard) In the Federal Register.
Bisbey and Hollingsworth publish their study “Protection Analysis: Final Report,”
which discussed the Protection Analysis project created by ARPA to better
1978 understand the vulnerabilities of operating system security and examine the
possibility of automated vulnerability detection techniques in existing system
software.
Key Dates in Information
Security (contd.)
Date Document
Dennis Ritchie publishes “On the Security of UNIX” and “Protection of Data File Contents,”
1979
which discussed secure user IDs, secure group IDs, and the problems inherent in the systems.

The US. Department of Defense Computer Security Evaluation Center publishes the first
1982 version of the Trusted Computer Security (TCSEC) documents, which came to be known as the
Rainbow Series.

Grampp and Morris write “The UNIX System: UNIX Operating System Security.” In this report
the authors examined four “important handles to computer security”: physical control of primes
1982
and computer facilities, management commitment to security objectives, education of
employees, and administrative procedures aimed at increased security.
Reeds and Weinberger publish “File Security and the UNIX System Crypt Command.” Their
premise was: “No technique can be secure against wiretapping or is equivalent on the
1984
computer. Therefore no technique can be secure against the system administrator or other
privileged users... the naive user have no chance.”

Researchers for the Internet Engineering Task force, working at the Naval Research Laboratory,
1992 develop the Simple Internet Protocol Plus (SIPP) Security protocols, creating what is now
known as IPSEC security.
The 1960s
• Department of Defence's, Advanced Research
Procurement Agency (ARPA), began examining the
feasibility of a redundant networked
communications system designed to support the
military’s need to exchange information.
• Larry Roberts, known as the founder of the
Internet, developed the project from its
inception.
The 1970s and1980s
• ARPANET grew in popularity as did its potential for misuse
• Fundamental problems with ARPANET security were identified
– No safety procedures for dial-up connections to ARPANET
– Nonexistent user identification and authorization to system
• Late 1970s: microprocessor expanded computing capabilities and
security threats
The 1970s and1980s (contd.)
• Information security began with Rand Report R-609 (paper that
started the study of computer security and identified role of
management and policy issues in it)
• Scope of computer security grew from physical security to
include:
– Securing the data
– Limiting random and unauthorized access to data
– Involving personnel from multiple levels of the organization in
information security
The 1990s
• Networks of computers became more common; so did the
need to connect them to each other
• Internet became first global network of networks
• Initially based on de facto standards
• In early Internet deployments, security was treated as a low
priority
• In 1993, DEFCON conference established for those interested
in information security
2000 to Present
• The Internet brings millions of unsecured computer networks into
continuous communication with each other
• Ability to secure a computer’s data influenced by the security of
every computer to which it is connected
• Growing threat of cyber attacks has increased the awareness of
need for improved security
– Nation-states engaging in information warfare
Security, Information
Security
Security
• “A state of being secure and free from danger or harm; the
actions taken to make someone or something secure”
• It means to be protected from adversaries--from those who
would do harm, intentionally or otherwise.
• A successful organization should have multiple layers of security
in place to protect:
– Physical Infrastructure
– People
– Operations
– Communications
– Network
Information Security
• The protection of information and its critical elements, including
systems and hardware that use, store, and transmit that
information
• Includes information security management, data security, and
network security
• Protect the information and its related
systems from danger, tools, such as policy,
awareness, training, education, and technology
are necessary.
Key components of Information
Security
• Confidentiality
• Data confidentiality: Assures that confidential
information is not disclosed to unauthorized individuals
• Privacy: Assures that individual control or influence
what information may be collected and stored
• Integrity
• Data integrity: assures that information and programs are
changed only in a specified and authorized manner
• System integrity: Assures that a system performs its
operations in unimpaired manner
• Availability: assure that systems works promptly
and service is not denied to authorized users
CIA Triad
Other Concepts to Complete
Security Picture
• Authenticity: the property of being genuine and
being able to be verified and trusted;
confident in the validity of a transmission, or
a message, or its originator
• Accountability: generates the requirement for
actions of an entity to be traced uniquely to
that individual to support nonrepudiation,
deference, fault isolation, etc
Levels of Security Breach
Impact
• Low: the loss will have a limited impact, e.g.,
a degradation in mission or minor damage or
minor financial loss or minor harm
• Moderate: the loss has a serious effect, e.g.,
significance degradation on mission or
significant harm to individuals but no loss of
life or threatening injuries
• High: the loss has severe or catastrophic
adverse effect on operations, organizational
assets or on individuals (e.g., loss of life)
Examples of Security
Requirement: Confidentiality
• Student grade information is an asset whose
confidentiality is considered to be very high
• The US FERPA Act: grades should only be available to
students, their parents, and their employers (when
required for the job)
• Student enrollment information: may have
moderate confidentiality rating; less damage if
enclosed
• Directory information: low confidentiality
rating; often available publicly
Examples of Security
Requirements: Integrity
• A hospital patient’s allergy information (high
integrity data): a doctor should be able to
trust that the info is correct and current
• If a nurse deliberately falsifies the data, the
database should be restored to a trusted basis and the
falsified information traced back to the person who
did it
• An online newsgroup registration data: moderate
level of integrity
• An example of low integrity requirement:
anonymous online poll (inaccuracy is well
understood)
Examples of Security
Requirements: Availability
• A system that provides authentication: high
availability requirement
• If customers cannot access resources, the loss of
services could result in financial loss
• A public website for a university: a moderate
availably requirement; not critical but causes
embarrassment
• An online telephone directory lookup: a low
availability requirement because
unavailability is mostly annoyance (there are
alternative sources)
Terminologies
Role of a Computer System
• Computer can be a subject and/or object of an
attack.
• Subject – active tool to conduct an attack.
• Object – entity being attacked
• 2 types of attack
• Direct
• Hacker uses their computer to break into a system
• Indirect
• System is compromised and used to attack other systems
Key terminologies
• Access
• a subject or object’s ability to use, manipulate, modify, or
affect another subject or object.
• Asset
• the organizational resource that is being protected.
• Attack
• an intentional or unintentional act that can damage or otherwise
compromise information and the systems that support it.
• Control, Safeguard, or Countermeasure
• Security mechanisms, policies, or procedures that can successfully
counter attacks, reduce risk, resolve vulnerabilities, and
otherwise improve security within an organization.
• Exploit
• a technique used to compromise a system.
• Exposure
• a condition or state of being exposed.
Key Terminologies (contd.)
• Loss:
• A single instance of an information asset suffering damage or
destruction, unintended or unauthorized modification or
disclosure, or denial of use.
• Protection Profile or Security Posture
• entire set of controls and safeguards that the organization
implements to protect the asset.
• Risk
• the probability of an unwanted occurrence.
• Threat
• a category of objects, people, or other entities that represents a
danger to an asset.
• Threat Agent
• the specific instance or a component of a threat.
• Vulnerability
• weaknesses or faults in a system or protection mechanism that
expose information to attack or damage.
Security Concepts and
Relationship