UNIT 1- INTRODUCTION


History, what is Information Security? Critical Characteristics of Information,
NSTISSC Security Model, Components of an Information System, Securing
the Components, Balancing Security and Access, The SDLC, The Security
SDLC

The History of Information Security

Key Term
computer security In the early days of computers, this term specified the need to
secure the physical location of computer technology from outside threats. This term
later came to represent all actions taken to preserve computer systems from losses. It
has evolved into the current concept of information security as the scope of
protecting information in an organization has expanded.

The history of information security begins with the concept of computer security. The
need for computer security arose during World War II when the first mainframe computers
were developed
The 1960s
During the Cold War, many more mainframe computers were brought online to accomplish
more complex and sophisticated tasks. These mainframes required a less cumbersome process
of communication than mailing magnetic tapes between computer centers. In response to this
need, the Department of Defense’s Advanced Research Projects Agency (ARPA) began exam-
ining the feasibility of a redundant, networked communications system to support the mili-
tary’s exchange of information.
In 1968, Dr. Larry Roberts developed the ARPANET project. ARPANET evolved into
what we now know as the Internet, and Roberts became known as its founder.

The 1970s and 80s

During the next decade, ARPANET became more popular and saw wider use, increasing the
potential for its misuse. In 1973, Internet pioneer Robert M. Metcalfe (pictured in Figure 1-3)
identified fundamental problems with ARPANET security. As one of the creators of Ethernet, a
dominant local area networking protocol.
In 1978, Richard Bisbey and Dennis Hollingworth, two researchers in the Information
Sciences Insti- tute at the University of Southern California, published a study entitled
“Protection Analysis: Final Report.”

The 1990s
At the close of the 20th century, networks of computers became more common, as did the
need to connect them to each other. This gave rise to the Internet, the first global network of
net- works. The Internet was made available to the general public in the 1990s after decades of
being the domain of government, academia, and dedicated industry professionals. The Internet
brought connectivity to virtually all computers that could reach a phone line or an Internet-
connected local area network (LAN).
In 1993, the first DEFCON conference was held in Las Vegas. Originally it was established
as a gathering for people interested in information security, including authors, lawyers, gov-
ernment employees, and law enforcement officials
2000 to Present
Today, the Internet brings millions of unsecured computer networks into continuous commu-
nication with each other. The security of each computer’s stored information is contingent on
the security level of every other computer to which it is connected. Recent years have seen a
growing awareness of the need to improve information security, as well as a realization that
information security is important to national defense.


 Information security managers and professionals
• Information technology managers and professionals
• Nontechnical business managers and professionals These communities of interest fulfil
the following roles:
• The information security community protects the organization’s information assets
from the many threats they face.
• The information technology community supports the business objectives of the
organization by supplying and supporting information technology appropriate to the business’
needs.
• The nontechnical general business community articulates and communicates
organizational policy and objectives and allocates resources to the other groups.

INTRODUCTION
Information technology is the vehicle that stores and transports information—a company’s most
valuable resource—from one business unit to another.
But what happens if the vehicle breaks down, even for a little while?
As businesses have become more fluid, the concept of computer security has been replaced by
the concept of information security.
Because this new concept covers a broader range of issues, from the protection of data to the
protection of human resources, information security is no longer the sole responsibility of a
discrete group of people in the company; rather, it is the responsibility of every employee, and
especially managers.
Organizations must realize that information security funding and planning decisions involve
more than just technical managers:
Rather, the process should involve three distinct groups of decision makers, or
communities of interest:

What is information security?

 The information security today’s enterprise is a “well informed sense of
assurance that the information risks and controls are in balance”james
Anderson inovant.

What Is Security?
Key Terms
C.I.A. triangle The industry standard for computer security since the development of
the mainframe. The standard is based on three characteristics that describe the utility of
information: confidentiality, integrity, and availability.
communications security The protection of all communications media, technology,
and content.
information security Protection of the confidentiality, integrity, and availability of
information assets, whether in storage, processing, or transmission, via the application
of policy, education, training and awareness, and technology.
network security A subset of communications security; the protection of voice and
data networking components, connections, and content.
physical security The protection of physical items, objects, or areas from
unauthorized access and misuse.
security A state of being secure and free from danger or harm. Also, the actions taken
to make someone or something secure.

In general, security is defined as “the quality or state of being secure—to be free from danger.”
Security is often achieved by means of several strategies usually undertaken simultaneously or
used in combination with one another.

A successful organization should have multiple layers of security in place:

Physical security, which encompasses strategies to protect people, physical assets, and the
workplace from various threats including fire, unauthorized access, or natural disasters
Personal security, which overlaps with physical security in the protection of the people within
the organization
Operations security, which focuses on securing the organization’s ability to carry out its
operational activities without interruption or compromise
Communications security, which encompasses the protection of an organization’s
communications media, technology, and content, and its ability to use these tools to achieve the
organization’s objectives
Network security, which addresses the protection of an organization’s data networking
devices, connections, and contents, and the ability to use that network to accomplish the
organization’s data communication functions
Information security includes the broad areas of information security management, computer
and data security, and network security.
Where it has been used?
 Governments, military, financial institutions, hospitals, and private businesses.
 Protecting confidential information is a business requirement.
Information Security components are
 Confidentiality
 Integrity
 Availability(CIA)

The Committee on National Security Systems (CNSS) defines information security as the pro-
tection of information and its critical elements, including the systems and hardware that use,
store, and transmit the information.11 Figure 1 shows that information security includes the
broad areas of information security management, data security, and network security. The
CNSS model of information security evolved from a concept developed by the computer
security industry called the C.I.A. triangle

Information
Security Governanc
e
Management
of Information
Security
POLICY

Confidentialit
y
Integrit
y
Security
Computer

Network
Security

Security

Dat
Data

a&
Servic
es

Confidentiality Integrity Availabilit

Availability y

Figure 1 Components of information security Figure 2 The C.I.A. triangle

  The C.I.A. triangle (see Figure 2 ) has been the standard for computer security in
both industry and government since the development of the mainframe. This standard
is based on the three characteristics of information that give it value to organizations:
confidentiality, integrity, and availability.
 The security of these three characteristics is as important today as it has always been,
but the C.I.A. triangle model is generally viewed as no longer adequate in addressing
the constantly changing environment.
 The threats to the confidentiality, integrity, and availability of information have
evolved into a vast collection of events, including accidental or intentional damage,
destruction, theft, unintended or unauthorized modification, or other misuse from
human or nonhuman threats.

Critical Characteristics of Information

 When a characteristics changes the value may be increased or decreased.
 There are many characteristics available in the information security systems
They are,
 Availability
 Accuracy
 Authenticity
 Confidentiality
 Integrity
 Utility
 Possession
Availability
 It enables authorized users to access information and receives it in the required format
 Availability does not imply that the information is accessible to any user, rather it
means availability to authorized users.
Consider, for example, research libraries that require identification before entrance. Librarians
protect the contents of the library so that they are available only to authorized patrons. The
librarian must accept a patron’s identification before the patron has free access to the book
stacks. Once authorized patrons have access to the stacks, they expect to find the
information they need in a usable format and familiar language. In this case, the infor- mation
is bound in a book that is written in English.

Accuracy
 Accuracy of information refers to information which is free from mistakes or errors
and has the value the end user expects.
 If the information has been intentionally or unintentionally modified , it is no longer
accurate.
Consider a checking account, for example. You assume that the information in your account is an
accurate representation of your finances. Incor- rect information in the account can result from
external or internal errors. If a bank teller, for instance, mistakenly adds or subtracts too much
money from your account, the value of the information is changed. Or, you may accidentally enter
an incorrect amount into your account register. Either way, an inaccurate bank balance could cause
you to make other mistakes, such as bouncing a check.

Authenticity
 It refers to quality or state of being genuine or original, rather than
reproduction or fabrication.
 When the contents are original as it was created, placed or stored or
transmitted.
Attacks of Authenticity
Email Spoofing: sending E-mail with modified address field
Phishing: obtain personal or financial information in a fraudulent manner.
Confidentiality
 Information has confidentiality when exposure to unauthorized individuals or systems
is prevented
 To protect the confidentiality of information, a number of measures are used:
 Information classification
 Secure document storage
 Application of general security policies
 Education of information custodians end users
The value of information confidentiality is especially high for personal information about
employees, customers, or patients. People who transact with an organization expect that their
personal information will remain confidential, whether the organization is a federal agency,
such as the Internal Revenue Service, or a business
Integrity

 Integrity means that data cannot be modified without authorization.

 When it is whole complete, and uncorrupted.
 When it is exposed to corruption, damage, destruction and other disruption of its
authentic state.
Utility
 The utility of information is the quality or state of having value for some purpose or
end
 This means that if information is available ,but not in a meaningful format to the end
user
Possession

 The possession of information security is the quality or state of having ownership or

control of some object or item.

NSTISSC Security Model

The hosting organization is the Committee on National Security Systems, which is responsible
for coordinating the evaluation and publication of standards related to the protection of
National Security Systems (NSS). CNSS was originally called the National Security
Telecommunications and Information Systems Security Committee (NSTISSC) when
established in 1990 by National Security Directive

Confidentialit Confidentialit
y y

Integrit Integrit
y y

Availabilit Availabilit
y y
Storage Processing Storage Processing
Transmission Transmission
Figure 3 the McCumber Cube

The comprehensive information security model and has become a widely accepted evaluation standard
for the security of information systems. The CNSS standards are expected to be replaced by the new
NIST SP 800-16, “Information Technology Security Training Requirements: A Role-Based Model for
Federal Information Technology/Cyber Security Training,” in the near future.
The model, which was created by John McCumber in 1991, provides a graphical representation
of the architectural approach widely used in computer and information security; it is now
known as the McCumber Cube. As shown in Figure 3 the McCumber Cube shows three
dimensions. If extrapolated, the three dimensions of each axis become a 3×3×3 cube with 27
cells representing areas that must be addressed to secure today’s information systems. To
ensure system security, each of the 27 areas must be properly addressed during the security
process. For example, the intersection of technology, integrity, and storage requires a control
or safeguard that addresses the need to use technology to protect the integrity of information
while in storage. One such control might be a system for detecting host intrusion that protects
the integrity of information by alerting security administrators to the potential modification of
a critical file.

Components of an Information System

Key Term
information system (IS) The entire set of software, hardware, data, people, procedures,
and networks that enable the use of information resources in the organization.

 Software
 Hardware
 Data
 People
 Procedures
 Networks
Software
The software components of IS comprises applications, operating systems, and assorted
command utilities. Software programs are the vessels that carry the lifeblood of information
through an organization. These are often created under the demanding constraints of project
management, which limit time, cost, and manpower.

Hardware
Hardware is the physical technology that houses and executes the software, stores and carries
the data, and provides interfaces for the entry and removal of information from the system.
Physical security policies deal with hardware as a physical asset and with the protection of these
physical assets from harm or theft. Applying the traditional tools of physical security, such as
locks and keys, restricts access to and interaction with the hardware components of an
information system. Securing the physical location of computers and the computers themselves
is important because a breach of physical security can result in a loss of information.
Unfortunately, most information systems are built on hardware platforms that cannot guarantee
any level of information security if unrestricted access to the hardware is possible.

Data
 Data stored, processed, and transmitted through a computer system must be protected.
 Data is often the most valuable asset possessed by an organization and is the main target
of intentional attacks.
 The raw, unorganized, discrete (separate, isolated) potentially-useful facts and figures
that are later processed (manipulated) to produce information.
 Hardware
Networks

Software
People

Procedures Data

Figure 3 Components of an information system

People
There are many roles for people in information systems. Common ones include
 Systems Analyst
 Programmer
 Technician
 Engineer
 Network Manager
 MIS ( Manager of Information Systems )
 Data entry operator
Procedures
A procedure is a series of documented actions taken to achieve something. A procedure is more
than a single simple task. A procedure can be quite complex and involved, such as performing a
backup, shutting down a system, patching software.
Networks
 When information systems are connected to each other to form Local Area Network
(LANs), and these LANs are connected to other networks such as the Internet, new security
challenges rapidly emerge.
Steps to provide network security are essential, as is the implementation of alarm and intrusion
systems to make system owners aware of ongoing compromises.
Securing Components
-Protecting the components from potential misuse and abuse by unauthorized users.
Subject of an attack – Computer is used as an active tool to conduct the attack.
Object of an attack – Computer itself is the entity being attacked
.Two types of attacks
- Direct attack
- Indirect attack

When a Hacker uses his personal computer to break into a system.[Originate from the threat
itself]
1. Indirect attack
When a system is compromised and used to attack other system.
[Originate from a system or resource that itself has been attacked, and is malfunctioning or
working under the control of a threat].
  A computer can, therefore, be both the subject and object of an attack when, for
example, it is first the object of an attack and then compromised and used to attack other
systems, at which point it becomes the subject of an attack.

Internet Stolen

information

Hacker request
Hacker using a computer as Remote system that is the
the subject of an attack object of an attack

Balancing Information Security and Access

Even with the best planning and implementation, it is impossible to obtain perfect information
security. Recall James Anderson’s statement from the beginning of this chapter, which
emphasizes the need to balance security and access. Information security cannot be absolute: it
is a process, not a goal. You can make a system available to anyone, anywhere, anytime, through
any means. However, such unrestricted access poses a danger to the security of the information.
On the other hand, a completely secure information system would not allow anyone access.

 Has to provide the security and is also feasible to access the information for its
application.
 Information Security cannot be an absolute: it is a process, not a goal.
 Should balance protection and availability.

User 1:
Encrypting e-
mail is a hassle.
CISO: Encryption is
needed to protect
secrets of the
organization.

User 2: Encrypting
e-mail slows me down.

Access
Security

Figure 5 Balancing information security and access

Approaches to Information Security Implementation

Key Terms

Bottom-up approach A method of establishing security policies that

begins as a grassroots effort in which systems administrators attempt to
 improve the security of their systems.
Top-down approach A methodology of establishing security policies that
is initiated by upper management.

Top-down Bottom-up
approach approach

CE
O

CF CI CO
O O O

CIS VP-Systems VP-

O Networks

securit system networ

y s k
mgr mgr mgr
securit system networ
y s k
admi admi admi
securit system networ
y s k
tech tech tech

Figure 6 Approaches to information security implementation

Top-down-approach
 Has higher probability of success.
 Project is initiated by upper level managers who issue policy & procedures & processes.
 Dictate the goals & expected outcomes of the project.
 Determine who is suitable for each of the required action.

The Systems Development Life Cycle (SDLC)

SDLC Waterfall Methodology

SDLC-is a methodology for the design and implementation of an information system in an

organization.
- A methodology is a formal approach to solving a problem based on a structured sequence of
procedures.

- SDLC consists of 6 phases.

Investigation
- It is the most important phase and it begins with an examination of the event or plan that
initiates the process.
- During this phase, the objectives, constraints, and scope of the project are specified.
- At the conclusion of this phase, a feasibility analysis is performed, which assesses the
economic, technical and behavioural feasibilities of the process and ensures that implementation
is worth the organization’s time and effort.

Analysis
- It begins with the information gained during the investigation phase.
- It consists of assessments (quality) of the organization, the status of current systems, and the
capability to support the proposed systems.
- Analysts begin by determining what the new system is expected to do, and how it will interact
with existing systems.
- This phase ends with the documentation of the findings and an update of the feasibility
analysis.

Logical Design
- In this phase, the information gained from the analysis phase is used to begin creating a
systems solution for a business problem.
- Based on the business need, applications are selected that are capable of providing needed
services.
- Based on the applications needed, data support and structures capable of providing the needed
inputs are then chosen.
- In this phase, analysts generate a number of alternative solutions, each with corresponding
strengths and weaknesses, and costs and benefits.
- At the end of this phase, another feasibility analysis is performed.

Physical design
- In this phase, specific technologies are selected to support the solutions developed in the
logical design.
- The selected components are evaluated based on a make-or-buy decision.
- Final designs integrate various components and technologies.

Investigation

Analysis

Logical Design

Physical Design

Implementation

Repeat when system no longer viable

Maintenanc
e and
Figure 7 SDLC waterfall methodology

Implementation
- In this phase, any needed software is created.
- Components are ordered, received and tested.
- Afterwards, users are trained and supporting documentation created.
- Once all the components are tested individually, they are installed and tested as a system.
- Again a feasibility analysis is prepared, and the sponsors are then presented with the system for
a performance review and acceptance test.

Maintenance and change

- It is the longest and most expensive phase of the process.

- It consists of the tasks necessary to support and modify the system for the remainder of its
useful life cycle.
- Periodically, the system is tested for compliance, with business needs.

- Upgrades, updates, and patches are managed.

- As the needs of the organization change, the systems that support the organization must also
change.
- When a current system can no longer support the organization, the project is terminated and a
new project is implemented.

The Security Systems Development Life Cycle (Sec SDLC )

- The same phases used in the traditional SDLC can be adapted to support the implementation of
an information security project.

Investigation
- This phase begins with a directive from upper management, dictating the process, outcomes,
and goals of the project, as well as its budget and other constraints.
- Frequently, this phase begins with an enterprise information security policy, which outlines
the implementation of a security program within the organization.
- Teams of responsible managers, employees, and contractors are organized.
- Problems are analyzed.
- Scope of the project, as well as specific goals and objectives, and any additional constraints not
covered in the program policy, are defined.
- Finally, an organizational feasibility analysis is performed to determine whether the
organization has the resources and commitment necessary to conduct a successful security
analysis and design.

Analysis
- In this phase, the documents from the investigation phase are studied.
- The developed team conducts a preliminary analysis of existing security policies or programs,
along with that of documented current threats and associated controls.
- The risk management task also begins in this phase.

-Risk management is the process of identifying, assessing, and evaluating the levels of risk
facing the organization, specifically the threats to the organization’s security and to the
information stored and processed by the organization.
Logical design
- This phase creates and develops the blueprints for information security, and examines and
implements key policies.
- The team plans the incident response actions.
- Plans business response to disaster.
- Determines feasibility of continuing and outsourcing the project.

Physical design
- In this phase, the information security technology needed to support the blueprint outlined in
the logical design is evaluated.
- Alternative solutions are generated.
- Designs for physical security measures to support the proposed technological solutions are
created.
- At the end of this phase, a feasibility study should determine the readiness of the organization
for the proposed project.
- At this phase, all parties involved have a chance to approve the project before implementation
begins.

Implementation
- Similar to traditional SDLC
- The security solutions are acquired (made or bought), tested, implemented, and tested again
- Personnel issues are evaluated and specific training and education programs are conducted.
- Finally, the entire tested package is presented to upper management for final approval.

Maintenance and change

- Constant monitoring, testing, modification, updating, and repairing to meet changing threats
have been done in this phase.

Security Professionals and the organization senior management

Chief information Officer (CIO) is the responsible for
 Assessment
 Management
 And implementation of information security in the organization
Information Security Project Team
• Champion
- Promotes the project
- Ensures its support, both financially & administratively.

• Team Leader
- Understands project management
- Personnel management
- And information Security technical requirements.
Security policy developers
- Individuals who understand the organizational culture,
- Existing policies
- Requirements for developing & implementing successful policies.
Risk assessment specialists
- Individuals who understand financial risk assessment techniques.
- The value of organizational assets,
- And the security methods to be used.
Security Professionals
- Dedicated
- Trained, and well educated specialists in all aspects of information security from both a
technical and non-technical stand point.
System Administrators
- Administrating the systems that house the information used by the organization.
End users
Three types of are used
 Data owners
 Data custodians
  Data users
Data Owners
- Responsible for the security and use of a particular set of information.
- Determine the level of data classification
- Work with subordinate managers to oversee the day-to-day administration of the data.

Data Custodians
- Responsible for the storage, maintenance, and protection of the information.
- Overseeing data storage and backups
- Implementing the specific procedures and policies.

Data Users (End users)

- Work with the information to perform their daily jobs supporting the mission of the
organization.
- Everyone in the organization is responsible for the security of data, so data users are included
here as individuals with an information security role.

Key Terms in Information Security Terminology Asset

-An asset is the organizational resource that is being protected.
-An Asset can be logical, such as
-Website, information or data
- Asset can be physical, such as person, computer system
Attack
- An attack is an intentional or unintentional attempt to cause damage to or otherwise
compromise the information and /or the systems that support it. If someone casually reads
sensitive information not intended for his use, this is considered a passive attack. If a hacker
attempts to break into an information system, the attack is considered active.

Risk
- Risk is the probability that something can happen. In information security, it could be the
probability of a threat to a system.

UNIT II SECURITY INVESTIGATION

Need for Security, Business Needs, Threats, Attacks, Legal, Ethical and Professional Issues - An
Overview of Computer Security - Access Control Matrix, Policy-Security policies,
Confidentiality policies, Integrity policies and Hybrid policies

Need For Security

Information security is essential for protecting sensitive and valuable data from unauthorized
access, use, disclosure, disruption, modification, or destruction. Here are some of the key
reasons why information security is important:

Protecting Confidential Information: Confidential information, such as personal data,

financial records, trade secrets, and intellectual property, must be kept secure to prevent it from
falling into the wrong hands. This type of information is valuable and can be used for identity
theft, fraud, or other malicious purposes.

Complying with Regulations: Many industries, such as healthcare, finance, and government,
are subject to strict regulations and laws that require them to protect sensitive data. Failure to
comply with these regulations can result in legal and financial penalties, as well as damage to
the organization’s reputation.

Maintaining Business Continuity: Information security helps ensure that critical business
operations can continue in the event of a disaster, such as a cyber-attack or natural disaster.
Without proper security measures in place, an organization’s data and systems could be
compromised, leading to significant downtime and lost revenue.

Protecting Customer Trust: Customers expect organizations to keep their data safe and secure.
Breaches or data leaks can erode customer trust, leading to a loss of business and damage to the
organization’s reputation.

Preventing Cyber-attacks: Cyber-attacks, such as viruses, malware, phishing, and

ransomware, are becoming increasingly sophisticated and frequent. Information security helps
prevent these attacks and minimizes their impact if they do occur.

Protecting Employee Information: Organizations also have a responsibility to protect

employee data, such as payroll records, health information, and personal details. This
information is often targeted by cybercriminals, and its theft can lead to identity theft and
financial fraud.

Business Needs First

Information security performs four important functions for an organization:
1. Protects the organization’s ability to function
2. Enables the safe operation of applications implemented on the organization’s IT systems.
3. Protects the data the organization collects and uses.
4. Safeguards the technology assets in use at the organization.

1. Protecting the functionality of an organization

• Decision makers in organizations must set policy and operate their organizations in compliance
with the complex, shifting legislation that controls the use of technology.

2. Enabling the safe operation of applications

• Organizations are under immense pressure to acquire and operate integrated, efficient, and
capable applications
• The modern organization needs to create an environment that safeguards applications using the
organization’s IT systems, particularly those applications that serve as important elements of the
infrastructure of the organization.

3. Protecting data that organizations collect & use

• Protecting data in motion
• Protecting data at rest
• Both are critical aspects of information security.
• The value of data motivates attackers to seal, sabotage, or corrupt it.
• It is essential for the protection of integrity and value of the organization’s data

4. Safeguarding Technology assets in organizations

• Must add secure infrastructure services based on the size and scope of the enterprise.
• Organizational growth could lead to the need for public key infrastructure, PKI, an
integrated system of software, encryption methodologies.

Threats
To protect an organization’s information, you must
1. Know yourself (i.e) be familiar with the information to be protected, and the systems that
store, transport and process it.
2. Know the threats you face
To make sound decisions about information security, management must be informed about the
various threats facing the organization, its application, data and information systems.
3. A threat is an object, person, or other entity, that represents a constant danger to an asset.

Threats to Information Security

Categories of threat Examples
Acts of human error or failure -- Accidents, employee mistakes
Compromises to intellectual property -- Piracy, copyright infringement
Deliberate acts of espionage or trespass-- Unauthorized access and/or/data collection
Deliberate acts of information extortion-- Blackmail or information disclosure
Deliberate acts of sabotage or vandalism -- Destruction of systems or information
Deliberate acts of theft -- Illegal confiscation of equipment or information
Deliberate software attacks -- Viruses, worms, macros, denial-of- service
Forces of nature -- Fire, flood, earthquake, lightning
Deviations in quality of service -- ISP, power ,or WAN service providers
Technical hardware failures or errors -- Equipment failure
Technical software failures or errors -- Bugs, code problems, unknown loopholes
Technological obsolescence -- Antiquated or outdated technologies

1. Acts of Human Error or Failure:

• Acts performed without intent or malicious purpose by an authorized user.
• because of in experience ,improper training,
• Making of incorrect assumptions.
One of the greatest threats to an organization’s information security is the organization’s own
employees.
• Entry of erroneous data
• accidental deletion or modification of data
• storage of data in unprotected areas.
• Failure to protect information
can be prevented with
- Training
- Ongoing awareness activities
-Verification by a second party
- Many military applications have robust, dual- approval controls built in .

is defined as the ownership of ideas and control over the tangible or virtual
representation of those ideas.
• Intellectual property includes trade secrets, copyrights, trademarks, and patents.

2. Compromises to Intellectual Property

• Once intellectual property has been defined and properly identified, breaches to IP constitute a
threat to the security of this information.
• Organization purchases or leases the IP of other organizations.
• Most Common IP breach is the unlawful use or duplication of software based intellectual
property more commonly known as software Piracy.
• Software Piracy affects the world economy.

U.S provides approximately 80% of world’s software.

In addition to the laws surrounding software piracy, two watch dog organizations investigate
allegations of software abuse.
1. Software and Information Industry Association (SIIA) (i.e)Software Publishers Association
2. Business Software Alliance (BSA) • Another effort to combat (take action against) piracy is
the online registration process.
3. Deliberate Acts of Espionage or Trespass

Electronic and human activities that can breach the confidentiality of information.
• When an unauthorized individual’s gain access to the information an organization is
trying to protect is categorized as act of espionage or trespass.
• Attackers can use many different methods to access the information stored in an
information system.
1. Competitive Intelligence[use web browser to get information from market research]
2. Industrial espionage(spying)
3. Shoulder Surfing(ATM)

Trespass
 Can lead to unauthorized real or virtual actions that enable information gatherers to enter
premises or systems they have not been authorized to enter.
 Sound principles of authentication & authorization can help organizations protect
valuable information and systems.
 Hackers-> “People who use and create computer software to gain access to information
illegally”
 There are generally two skill levels among hackers.
 Expert Hackers-> Masters of several programming languages, networking protocols,
and operating systems.
 Unskilled Hackers

4. Deliberate Acts of information Extortion (obtain by force or threat)

• Possibility of an attacker or trusted insider stealing information from a computer

system and demanding compensation for its return or for an agreement not to disclose the
information.

5. Deliberate Acts of sabotage or Vandalism

• Destroy an asset or

• Damage the image of organization

• Cyber terrorism-Cyber terrorists hack systems to conduct terrorist activities through

network or internet pathways.

6. Deliberate Acts of Theft

• Illegal taking of another’s property-- is a constant problem.

• Within an organization, property can be physical, electronic, or intellectual.
• Physical theft can be controlled by installation of alarm systems.
• Trained security professionals.
• Electronic theft control is under research.
7. Deliberate Software Attacks
o Because of malicious code or malicious software or sometimes
o These software components are designed to damage, destroy or deny service to
the target system.
 More common instances are malware.
Virus, Worms, Trojan horses, Logic bombs, Backdoors.

“The British Internet Service Provider Cloud nine” be the first business “hacked out of
existence”

Virus
 Segments of code that performs malicious actions.
 Virus transmission is at the opening of Email attachment files.
Macro virus-> Embedded in automatically executing macrocode common in word
processors, spreadsheets and database applications.
Boot Virus-> infects the key operating files located in the computer’s boot sector.
Worms
 A worm is a malicious program that replicates itself constantly, without requiring
another program to provide a safe environment for replication.
 Worms can continue replicating themselves until they completely fill available
resources, such as memory, hard drive space, and network bandwidth.
 Eg: MS-Blaster, MyDoom, Netsky, are multifaceted attack worms.
 Once the worm has infected a computer, it can redistribute itself to all e-mail addresses
found on the infected system.
 Furthermore, a worm can deposit copies of itself onto all Web servers that the infected
systems can reach, so that users who subsequently visit those sites become infected.

Trojan Horses
Are software programs that hide their true nature and reveal their designed behaviour
only when activated.

Trojan horse Trojan horse is Trojan horse releases its payload,

arrives via E- activated when monitors computer activity, installs
mail or the software or back door, or transmits information to
software such attachment is hacker
as free games executed.

Polymorphism
A Polymorphic threat is one that changes its apparent shape over time, making it undetectable
by techniques that look for preconfigured signatures. hese viruses and Worms actually evolve,
changing their size, and appearance to elude detection by antivirus software programs.

Virus & Worm Hoaxes

Types of Trojans
• Data Sending Trojans
• Proxy Trojans
• FTP Trojans
• Security software disabler Trojans
• Denial of service attack Trojans(DOS)
Virus
• A program or piece of code that be loaded on to your computer, without
• Your knowledge and run against your wishes.
Worm
• A program or algorithm that replicates itself over a computer network and usually
performs malicious actions.

Trojan horse
• A destructive program that masquerade on beginning application, unlike viruses, Trojan
horse do not replicate themselves.
Blended threat
• Blended threats combine the characteristics of virus, worm, Trojan horses & malicious
code with server and Internet Vulnerabilities.
Antivirus Program
• A Utility that searches a hard disk for viruses and removes any that found.
Forces of Nature
Fire: Structural fire that damages the building. Also encompasses smoke damage from a
fire or water damage from sprinkles systems.
Flood: Can sometimes be mitigated with flood insurance and/or business interruption
Insurance.
Earthquake: Can sometimes be mitigated with specific causality insurance and/or
business interruption insurance, but is usually a separate policy.
Lightning: An Abrupt, discontinuous natural electric discharge in the atmosphere.
Landslide/Mudslide: The downward sliding of a mass of earth & rocks directly
damaging all parts of the information systems.

They must also prepare contingency plans for continued operations, such as disaster
recovery plans, business continuity plans, and incident response plans, to limit losses in the face
of these threats

Deviations in Quality of Service

 A product or service is not delivered to the organization as expected.
 The Organization’s information system depends on the successful operation of many
interdependent support systems.
 It includes power grids, telecom networks, parts suppliers, service vendors, and even the
janitorial staff & garbage haulers.
 This degradation of service is a form of availability disruption.
Internet Service Issues
 Internet service Provider (ISP) failures can considerably undermine the availability of
information.
 When a Service Provider fails to meet SLA, the provider may accrue fines to cover
losses incurred by the client, but these payments seldom cover the losses generated by
the outage.
Communications & Other Service Provider Issues

 Other utility services can affect the organizations are telephone, water, waste water,
trash pickup, cable television, natural or propane gas, and custodial services.
 The loss of these services can impair the ability of an organization to function.
 For an example, if the waste water system fails, an organization might be prevented
from allowing employees into the building.
 This would stop normal business operations.
Power Irregularities
• Fluctuations due to power excesses.
• Power shortages &
• Power losses
• When voltage levels spike (experience a momentary increase),or surge ( experience prolonged
increase ), the extra voltage can severely damage or destroy equipment.
 The more expensive uninterruptible power supply (UPS) can protect against spikes and
surges.
 The web hosting services are usually arranged with an agreement providing minimum
service levels known as a Service level Agreement (SLA).
This can pose problems for organizations that provide inadequately conditioned power for their
information systems equipment.
Technical Hardware Failures or Errors
 Resulting in unreliable service or lack of availability
 Some errors are terminal, in that they result in unrecoverable loss of equipment.
 Some errors are intermittent, in that they resulting in faults that are not easily repeated.
Technical software failures or errors

 This category involves threats that come from purchasing software with unknown,
hidden faults.
 Large quantities of computer code are written, debugged, published, and sold before all
their bugs are detected and resolved.
 These failures range from bugs to untested failure conditions.
Technological obsolescence
 Outdated infrastructure can lead to unreliable and untrustworthy systems.
 Management must recognize that when technology becomes outdated, there is a risk of
loss of data integrity from attacks.

Attacks

 An attack is an act of or action that takes advantage of a vulnerability to compromise a

controlled system.
 It is accomplished by a threat agent that damages or steals an organization’s
information or physical asset.
 Vulnerability is an identified weakness in a controlled system, where controls are not
present or are no longer effective.
 Attacks exist when a specific act or action comes into play and may cause a potential
loss.

Malicious code
 The malicious code attack includes the execution of viruses, worms, Trojan horses, and
active Web scripts with the intent to destroy or steal information.
 The state –of-the-art malicious code attack is the polymorphic or multivector, worm.
 These attack programs use up to six known attack vectors to exploit a variety of
vulnerabilities in commonly found information system devices.

By using the widely known and common passwords that were employed in early versions of this
protocol, the attacking program can gain control of the device. Most vendors have closed these
vulnerabilities with software upgrades

Attack Replication Vectors

1. IP scan & attack
2. Web browsing
3. Virus
4. Unprotected shares
5. Mass mail
6. Simple Network Management Protocol(SNMP)

1. IP scan & attack

The infected system scans a random or local range of IP addresses and targets any of
several vulnerabilities known to hackers.
2. Web browsing
If the infected system has write access to any Web pages, it makes all Web content files
(.html,.asp,.cgi & others) infectious, so that users who browse to those pages become infected.
3. Virus
Each infected machine infects certain common executable or script files on all computers to
which it can write with virus code that can cause infection.
4. Unprotected shares
Using vulnerabilities in file systems and the way many organizations configure them, the
infected machine copies the viral component to all locations it can reach.
5. Mass Mail
By sending E-mail infections to addresses found in the address book, the infected machine
infects many users, whose mail -reading programs also automatically run the program & infect
other systems.
6. Simple Network Management Protocol (SNMP)
By using the widely known and common passwords that were employed in early
versions of this protocol, the attacking program can gain control of the device. Most vendors
have closed these vulnerabilities with software upgrades.

Virus and Worm Hoaxes As frustrating as viruses and worms are, perhaps more time and
money are spent resolving virus hoaxes. Well-meaning people can disrupt the harmony and flow of an
organization when they send group e-mails warning of supposedly dangerous viruses that don’t exist.
When people fail to follow virus-reporting procedures in response to a hoax, the network becomes
overloaded and users waste time and energy forwarding the warning message to everyone they know,
posting the message on bulletin boards, and trying to update their antivirus protection software. One of
the most prominent virus hoaxes was the 1994 “Goodtimes virus,” which reportedly was
transmitted in an e-mail with the header “Good Times” or “goodtimes.”42 The virus never existed, and
thou- sands of hours of employee time were wasted retransmitting the e-mail, effectively creating a
denial of service.

At one time, hoaxes amounted to little more than pranks, although occasionally a sting was
attached. For example, the Teddy Bear hoax tricked users into deleting necessary operating
system files, which made their systems stop working. Recently, criminals have been able to
monetize the hoax virus by claiming that systems are infected with malware and then selling a
cure for a problem that does not exist. The perpetrator of the hoax may then offer to sell a fake
antivirus program to correct the fake malware

Password Attacks
Password attacks fall under the category of espionage or trespass just as lock-picking falls
under breaking and entering. Attempting to guess or reverse-calculate a password is often
called cracking. There are a number of alternative approaches to password cracking:
●
Brute force
●
Dictionary
●
Rainbow tables
●
Social engineering

Brute Force The application of computing and network resources to try every possible password
combination is called a brute force password attack. If attackers can narrow the field of target accounts,
they can devote more time and resources to these accounts. This is one reason to always change the
password of the manufacturer’s default administrator account.
Brute force password attacks are rarely successful against systems that have adopted the
manufacturer’s recommended security practices. Controls that limit the number of
unsuccessful access attempts within a certain time are very effective against brute force
attacks.

Dictionary Attacks The dictionary password attack, or simply dictionary attack, is a

variation of the brute force attack that narrows the field by using a dictionary of com-
mon passwords and includes information related to the target user, such as names of relatives
or pets, and familiar numbers such as phone numbers, addresses, and even Social
Security numbers. Organizations can use similar dictionaries to disallow pass- words
during the reset process and thus guard against passwords that are easy to guess. In
addition, rules requiring numbers and special characters in passwords make the dictionary
attack less effective.
Rainbow Tables A far more sophisticated and potentially much faster password attack
is possible if the attacker can gain access to an encrypted password file, such as the Security
Account Manager (SAM) data file. While these password files contain hashed representations
of users’ passwords—not the actual passwords, and thus cannot be used by themselves—the
hash values for a wide variety of passwords can be looked up in a database known as a
rainbow table. These plain text files can be quickly searched, and a hash value and its
corresponding plaintext value can be easily located.
Social Engineering Password Attacks While social engineering is discussed in
detail later in the section called “Human Error or Failure,” it is worth mentioning here as a
mechanism to gain password information. Attackers posing as an organization’s IT profes-
sionals may attempt to gain access to systems information by contacting low-level employees
and offering to help with their computer issues.
Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
In a denial-of-service (DoS) attack, the attacker sends a large number of connection or
information requests to a target (see Figure 2-18). So many requests are made that the
target system becomes overloaded and cannot respond to legitimate requests for service. The
system may crash or simply become unable to perform ordinary functions. In a distributed
denial-of-service (DDoS) attack, a coordinated stream of requests is launched against a target
from many locations at the same time. Most DDoS attacks are preceded by a preparation
phase in which many systems, perhaps thousands, are compromised. The compromised
machines are turned into bots or zombies, machines that are directed remotely by the
attacker (usually via a transmitted command) to participate in the attack. DDoS attacks
are more difficult to defend against, and currently there are no controls that any single

In a denial-of-service attack, a hacker compromises a system and uses

that system to attack the target computer, flooding it with more
requests for services than the target can handle.

In a distributed denial-of-service attack, dozens or even hundreds of

computers (known as zombies) are compromised, loaded with DoS
attack software, and then remotely activated by the hacker to conduct
a coordinated attack.

organization can apply.

Packet Sniffer A packet sniffer (or simply sniffer) can monitor data traveling over a
network. Sniffers can be used both for legitimate network management functions and for
stealing information. Unauthorized sniffers can be extremely dangerous to a network’s
secu- rity because they are virtually impossible to detect and can be inserted almost
anywhere. This feature makes them a favorite weapon in the hacker’s arsenal. Sniffers
often work on TCP/IP networks. Sniffers add risk to networks because many systems and
users send infor- mation on local networks in clear text. A sniffer program shows all the
data going by, including passwords, the data inside files (such as word-processing
documents), and screens full of sensitive data from applications.

Spoofing To engage in IP spoofing, hackers use a variety of techniques to obtain trusted

IP addresses and then modify the packet headers to insert these forged addresses. 49 Newer
routers and firewall arrangements can offer protection against IP spoofing.

Data: Payload IP source: IP destination:

192.168.0.25 100.0.0.75
Original IP
packet from
hacker’s system

Data: Payload IP IP Spoofed

source: destination: (modified) IP
100.0.0.8 100.0.0.75 packet
0

Data: Payload IP IP Data: Payload IP source: IP

source: destination: 100.0.0.80 destination:
100.0.0.80 100.0.0.75 100.0.0.75

Hacker Firewall allows Spoofed

modifies packet in, packet slips
source address mistaking it for into intranet to
to spoof legitimate traffic wreak havoc

Pharming Pharming attacks often use Trojans, worms, or other virus technologies
to attack an Internet browser’s address bar so that the valid URL the user types is modified
to be that of an illegitimate Web site. A form of pharming called Domain Name System
(DNS) cache poisoning targets the Internet DNS system, corrupting legitimate data tables.
The key difference between pharming and the social engineering attack called phishing is
that the latter requires the user to actively click a link or button to redirect to the
illegitimate site, whereas pharming attacks modify the user’s traffic without the user’s
knowledge or active participation.

Man-in-the-Middle In the well-known man-in-the-middle attack, an attacker monitors

(or sniffs) packets from the network, modifies them, and inserts them back into the network.
In a TCP hijacking attack, also known as session hijacking, the attacker uses address spoof- ing
to impersonate other legitimate entities on the network. It allows the attacker to eavesdrop as
well as to change, delete, reroute, add, forge, or divert data. A variant of TCP hijacking involves
the interception of an encryption key exchange, which enables the hacker to act as an
invisible man in the middle—that is, an eavesdropper—on encrypted communications. Figure
2-20 illustrates these attacks by showing how a hacker uses public and private encryp- tion
keys to intercept messages.
 2) Hacker intercepts
transmission, and
poses as Company B.
Hacker exchanges his
own keys with
Company A. Hacker
then establishes a
session
with Company B, posing as
Company A.

1) Company A
attempts to
establish an
encrypted session
with Company B.

3) Company B sends all

messages to the hacker who
receives, decrypts, copies, and
forwards copies (possibly

Legal, Ethical and Professional Issues

Policy versus Law

Thus, for a policy to become enforceable, it must meet the following five criteria:
 Dissemination (distribution): The organization must be able to demonstrate that the relevant
policy has been made readily available for review by the employee. Common dissemination
techniques include hard copy and electronic distribution.
 Review (reading): The organization must be able to demonstrate that it disseminated the
document in an intelligible form, including versions for employees who are illiter- ate, reading-
impaired, and unable to read English. Common techniques include recordings of the policy in
English and alternate languages.
 Comprehension (understanding): The organization must be able to demonstrate that the
employee understands the requirements and content of the policy. Common techniques include
quizzes and other assessments.
 Compliance (agreement): The organization must be able to demonstrate that the employee
agreed to comply with the policy through act or affirmation. Common techniques include logon
banners, which require a specific action (mouse click or keystroke) to acknowledge agreement,
or a signed document clearly indicating the employee has read, understood, and agreed to
comply with the policy.
 Uniform enforcement: The organization must be able to demonstrate that the policy has been
uniformly enforced, regardless of employee status or assignment.
Types of Law
Several categories of law affect organizations and their employees. Some of the more relevant
categories include the following:
 Civil law comprises a wide variety of laws that govern a nation or state and deal with the
relationships and conflicts between organizations and people.
 Criminal law addresses activities and conduct harmful to society, and is actively enforced by
the state. Law can also be categorized as private or public.
 Private law encompasses family law, commercial law, and labor law, and regulates the
relationship between individuals and organizations.
 Public law regulates the structure and administration of government agencies and their
relationships with citizens, employees, and other governments. Public law includes criminal,
administrative, and constitutional law.
Relevant U.S. Laws
Historically, the United States has been a leader in the development and implementation of
information security legislation to prevent misuse and exploitation of information and informa-
tion technology. Information security legislation contributes to a more reliable business envi-
ronment, which in turn enables a stable economy.
 (1) periodic assessments of the risk and magnitude of the harm that could
result from the unauthorized access, use, disclosure, disruption,
modification, or destruction of information and information systems
that support the opera- tions and assets of the agency;
(2) policies and procedures that are based on the risk assessments; cost-
effectively reduce information security risks to an acceptable level; ensure
that information security is addressed throughout the life cycle of each
agency information sys- tem; and ensure compliance with this act and
other standards and regulations;
(3) subordinate plans for providing adequate information security for
networks, facilities, and systems or groups of information systems, as
appropriate;
(4) security awareness training to inform personnel, including contractors
and other users of information systems that support the operations and
assets of the agency, of information security risks associated with their
activities; and their responsibilities in complying with agency policies
and procedures designed to reduce these risks;

General Computer Crime Laws

The Computer Fraud and Abuse Act of 1986 (CFA Act or CFAA) is the
cornerstone of many computer-related federal laws and enforcement efforts. It was originally
written as an extension and clarification to the Comprehensive Crime Control Act of
1984. The CFAA was amended by the National Information Infrastructure Protection
Act of 1996, which modified several sections of the previous act and increased the penalties
for selected crimes.
The severity of the penalty depends on the value of the information obtained and whether the
offense is judged to have been committed for the following reasons:
●
For purposes of commercial advantage
●
For private financial gain

●
In furtherance of a criminal act
Area Act Date Description
Telecommu- Telecommunications 1934 Regulates interstate and foreign
nications Deregulation and Competition Act telecommunications (amended in 1996
of 1996—an update to and 2001)
Communications Act of 1934 (47
USC 151 et seq.)
Civil legal Federal Rules for Civil Procedure 1938 As updated in 2006, specifies
evidence (FRCP) requirements for the storage, protection,
and surrender of discoverable electronic
data as used in federal civil proceedings
Freedom of Freedom of Information Act (FOIA) 1966 Allows for disclosure of previously
information unreleased information and
documents controlled by the U.S.
government
Privacy Federal Privacy Act of 1974 1974 Governs federal agency use of personal
information
Copyright Copyright Act of 1976—an update 1976 Protects intellectual property, including
to publications and software
U.S. Copyright Law (17 USC)
Cryptography Electronic Communications Privacy 1986 Regulates interception and disclosure
Act of 1986 (Update to 18 USC) of electronic information; also referred
to as the Federal Wiretapping Act
Access to Unlawful Access to Stored 1986 Provides penalties for illegally accessing
stored Communications (18 USC 2701) communications (such as e-mail and
communications voicemail) stored by a service provider
Threats to Computer Fraud and Abuse Act
computers (also known as Fraud and Related
Activity in Connection with
Computers; 18 USC 1030)
Federal agency Computer Security Act of 1987
information
security
Trap and trace General prohibition on pen
restrictions register and trap and trace
device use; exception (18 USC
3121 et seq.)
Criminal intent National Information
Infrastructure Protection Act of
1996 (update to 18 USC 1030)
Trade secrets Economic Espionage Act of 1996
Personal health Health Insurance Portability and
information Accountability Act of 1996 (HIPAA)
protection
Intellectual No Electronic Theft Act amends 17
property USC 506(a)—copyright
infringement, and 18 USC 2319—
criminal (Public Law 105- 147)
infringement of copyright
Copy Digital Millennium Copyright Act
protection (update to 17 USC 101)
1986 Defines and formalizes laws to counter
threats from computer-related acts and
offenses (amended in 1996, 2001, and
2006)
1987 Requires all federal computer systems
that contain classified information to have
security plans in place, and requires
periodic security training for all people
who operate, design, or manage such
systems
1993 Prohibits the use of electronic pen
registers and trap and trace devices
without a court order
1996 Categorizes crimes based on criminal
intent and a defendant’s authority to
access a protected computer system
1996 Prevents abuse of information gained
while employed elsewhere
1996 Requires medical practices to ensure the
privacy of personal medical information
1997 Amends copyright and criminal statutes
to provide greater copyright protection
and penalties for electronic copyright
infringement
1998 Provides specific penalties for removing
copyright protection from media

The preceding law and many others were further modified by the USA PATRIOT Act of
2001,
which provides law enforcement agencies with broader latitude to combat terrorism-related activ-
ities.
In response to the pressure for privacy protection, the number of statutes that address individual rights
to privacy has grown. To help you better understand this rapidly evolving issue, some of the more
relevant privacy laws are presented here.

Web
cookies

Phon
e
survey

Information assembled from multiple

sources (name, address, phone number,
financial information, Store
loyalty
program

Some regulations in the U.S. legal code stipulate responsibilities of common carriers (organiza-
tions that process or move data for hire) to protect the confidentiality of customer information.
The Privacy of Customer Information Section of the common carrier regulation states
that any proprietary information shall be used explicitly for providing services, and not for
marketing purposes.
While common carrier regulation oversees public carriers to protect individual privacy, the
Federal Privacy Act of 1974 regulates government agencies and holds them
accountable if they release private information about individuals or businesses without
permission. The following agencies, regulated businesses, and individuals are exempt from
some of the regulations so they can perform their duties:
●
Bureau of the Census
●
National Archives and Records Administration
●
Congress
●
Comptroller General
●
Federal courts with regard to specific issues using appropriate court orders
●
Credit reporting agencies
●
Individuals or organizations that demonstrate information is
necessary to protect the health or safety of an individual party

The Electronic Communications Privacy Act (ECPA) of 1986, informally referred to as

the wiretapping act, is a collection of statutes that regulates the interception of wire, electronic, and oral
communications. These statutes work in conjunction with the Fourth Amendment of the U.S.
Constitution, which protects individual citizens from unlawful search and seizure.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA),

also known as the Kennedy-Kassebaum Act, protects the confidentiality and security of
healthcare data by establishing and enforcing standards and by standardizing electronic data
interchange. HIPAA affects all healthcare organizations, including doctors’ practices, health
clinics, life insurers, and universities, as well as some organizations that have self-insured
employee health programs.
HIPAA has five fundamental principles:
1. Consumer control of medical information
2. Boundaries on the use of medical information
3. Accountability to maintain the privacy of specified types of information
4. Balance of public responsibility for the use of medical
information for the greater good measured against its impact to the
individual patient
5. Security of health information
In 2009, an act that attempted to stimulate the American economy, the American
Recovery and Reinvestment Act of 2009 (ARRA), updated and broadened the scope of
HIPAA in a section referred to as the Health Information Technology for Economic
and Clinical Health Act (HITECH).
Export and Espionage Laws
To meet national security needs and to protect trade secrets and other state and private
assets, several laws restrict which information, information management resources, and
security resources may be exported from the United States. These laws attempt to stem the
theft of information by establishing strong penalties for such crimes
To protect American ingenuity, intellectual property, and competitive advantage, Congress
passed the Economic Espionage Act in 1996. This law attempts to prevent trade secrets
from being illegally shared.
The Security and Freedom through Encryption Act of 1999 provides guidance for the use of
encryption and provides protection from government intervention. The acts include provisions that:
●
Reinforce a person’s right to use or sell encryption algorithms without
concern for regulations requiring some form of key registration. Key
registration is the storage of a cryptographic key (or its text equivalent) with
another party for breaking the encryption of data. This is often called “key
escrow.”
●
Prohibit the federal government from requiring the use of encryption for
contracts, grants, and other official documents and correspondence.
●
State that the use of encryption is not probable cause to suspect criminal
activity. Relax export restrictions by amending the Export Administration
Act of 1979.
●
Provide additional penalties for the use of encryption in the commission of a
criminal act.

U.S. Copyright Law

Intellectual property is a protected asset in the United States. The U.S. Copyright Law
extends this privilege to published works, including electronic formats. Fair use allows copy
righted materials to be used to support news reporting, teaching, scholarship, and similar
activities, as long as the use is for educational or library purposes, is not for profit, and is not
excessive.

Financial Reporting
The Sarbanes-Oxley Act of 2002, also known as SOX or the Corporate and Auditing
Accountability and Responsibility Act, is a critical piece of legislation that affects the
execu- tive management of publicly traded corporations and public accounting firms. The law
seeks to improve the reliability and accuracy of financial reporting, as well as increase the
account- ability of corporate governance, in publicly traded companies.

Freedom of Information Act of 1966

The Freedom of Information Act (FOIA) allows any person to request access to federal agency
records or information not determined to be a matter of national security. Agencies of the federal
government are required to disclose requested information upon receipt of a written request. This
requirement is enforceable in court. However, some information is pro- tected from disclosure, and the
act does not apply to state or local government agencies or to private businesses or individuals, although
many states have their own version of the FOIA. Figure 3-5 illustrates the number of FOIA requests
received by the U.S. government between 2008 and 2012, and their disposition.

Payment Card Industry Data Security Standards (PCI DSS)

For organizations that process payment cards, such as credit cards, debit cards, ATM cards, store-value
cards, gift cards, or other related items, the Payment Card Industry (PCI) Security.
PCI DSS addresses the following six areas with 12 requirements:
Area 1: “Build and maintain a secure network and systems.
 Install and maintain a firewall configuration to protect cardholder data.
 Do not use vendor-supplied defaults for system passwords and other security parameters.”
Area 2: “Protect cardholder data.
 Protect stored cardholder data.
 Encrypt transmission of cardholder data across open, public networks.”

Area 3: “Maintain a vulnerability management program.

 Protect all systems against malware and regularly update antivirus software or programs.
  Develop and maintain secure systems and applications.”

Area 4: “Implement strong access control measures.

 Restrict access to cardholder data by a business’s need to know.
 Identify and authenticate access to system components.
 Restrict physical access to cardholder data.”

Area 5: “Regularly monitor and test networks.

 Track and monitor all access to network resources and cardholder data.
 Regularly test security systems and processes.”

Area 6: “Maintain an information security policy.

Maintain a policy that addresses information security for all personnel.”16
 The Council has also issued requirements called the Payment Application Data Security
Standard (PA DSS) and PCI Pin Transaction Security (PCI PTS), which provide additional
specifications for components of payment card processing.
State and Local Regulations
A critical fact to keep in mind when reading federal computer laws is that the majority
of them are written specifically to protect federal information systems. The laws have
little applicability to private organizations. Thus, such organizations must be cognizant
of the state and local laws that protect and apply to them. Information security
professionals must understand state laws and regulations and ensure that their
organizations’ security policies and procedures are in compliance.

International Laws and Legal Bodies

IT professionals and information security practitioners must realize that when their organizations
do business on the Internet, they do business globally. As a result, these professionals must be sensitive to the
laws and ethical values of many different cultures, societies, and countries. When it comes to certain ethical
values, you may be unable to please all of the people all of the time, but the laws of other nations is one area
in which it is certainly not easier to ask for forgiveness than for permission.
Several security bodies and laws are described in this section. Because of the political complexities of
relationships among nations and differences in culture, few current international laws cover privacy and
information security. The laws discussed in this section are important, but they are limited in their
enforceability. The American Society of International Law is one example of an American institution that deals
with international law
U.K. Computer Security Laws
The following laws are in force in the United Kingdom (U.K.) and are similar to those described
earlier for the United States:
Computer Misuse Act 1990: Defined three “computer misuse offenses”:
1. Unauthorized access to computer material.
2. Unauthorized access with intent to commit or facilitate
commission of further offenses.
3. Unauthorized acts with intent to impair, or with recklessness as
to impairing, operation of computer, etc.17
 Privacy and Electronic Communications (EC Directive) Regulations 2003: Revoked
the Data Protection and Privacy Regulations of 1999, and focuses on protection against
unwanted or harassing phone, e-mail, and SMS messages.
 Police and Justice Act 2006: Updated the Computer Misuse Act, modified the penal- ties,
and created new crimes defined as the “unauthorized acts with intent to impair operation of
computer, etc.,”18 and the manufacture or provision of materials used in computer misuse
offenses.
 Personal Internet Safety 2007: A report published by the House of Lords Science and
Technology Committee provided a public service, and criticized the U.K. government’s lack of
action in protecting personal Internet safety.
Australian Computer Security Laws
The following laws are in force in Australia and its territories, and are similar to those described
earlier for the United States:
Privacy Act 1988: Regulates the collection, storage, use, and disclosure of personal information.
Applies both to private and public sectors. Contains 11 information privacy principles for handling
personal information by most public sector agencies, and 10 national privacy principles for handling of
personal information by nongovernment agencies.19
Telecommunications Act 1997: Updated as of October 2013; contains regulation related to the
collection and storage of privacy data held by telecommunications service providers.
Corporations Act 2001: Updated by the Corporations Regulations of 2001 and 2002; focuses on
business relationships, but similar to SOX, contains provisions related to financial reporting and audits.
Spam Act 2003: Legislation designed to regulate the amount of unwanted commercial marketing
materials, especially via e-mail. Requires businesses to obtain consent of recipients, ensure that
businesses accurately identify the recipients, and provide a mechanism by which the recipients may
unsubscribe from commercial messages.
Cybercrime Legislation Amendment Bill 2011: Designed to align Australian laws with the
European Convention on Cybercrime (see next section); the bill specifies information that
communications carriers and Internet service providers must retain and surrender when requested by
law enforcement
Council of Europe Convention on Cybercrime
The Council of Europe adopted the Convention on Cybercrime in
2001. It created an international task force to oversee a range of security functions associated
with Internet activities and standardized technology laws across international borders. It also
attempts to improve the effectiveness of international investigations into breaches of
technology law. This convention has been well received by advocates of intellectual property
rights because it emphasizes prosecution for copyright infringement. However, many
supporters of individual rights oppose the convention because they think it unduly infringes on
freedom of speech and threatens the civil liberties of U.S. residents

Ethics and Information Security

Many professionally regulated disciplines have explicit rules that govern the ethical behavior of their
members. For example, doctors and lawyers who commit egregious violations of their professions’
canons of conduct can have their legal ability to practice revoked.

Ethical Differences Across Cultures

Cultural differences can make it difficult to determine what is ethical and what is not—especially
when it comes to the use of computers. Studies on ethics and computer use reveal that people of different
nationalities have different perspectives; difficulties arise when one nationality’s ethical behavior violates
the ethics of another national group. For example, to Western cultures, many of the ways in which Asian
cultures use computer technology amount to software piracy. This ethical conflict arises out of Asian
traditions of collective ownership, which clash with the protection of intellectual property.

Software License Infringement The topic of software license infringement, or piracy, is

routinely covered by the popular press. Among study participants, attitudes toward piracy were
generally similar; however, participants from the United States and the Netherlands showed statistically
significant differences in attitudes from those of the overall group.

Misuse of Corporate Resources The scenarios examined levels of tolerance for misuse of
corporate resources, and each presented a different situation in which corporate assets were used for
nonbusiness purposes without specifying the company’s policy on personal use of its resources. In
general, participants displayed a rather lenient view of personal use of company equipment. Only
students from Singapore and Hong Kong viewed this personal use as unethical.
Ethics and Education
Attitudes toward the ethics of computer use are affected by many factors other than national- ity.
Differences are found among people within the same country, within the same social class, and within
the same company. Key studies reveal that education is the overriding factor in leveling ethical
perceptions within a small population. Employees must be trained and kept aware of many topics
related to information security, not the least of which is the expected behavior of an ethical employee.

Deterring Unethical and Illegal Behavior

There are three general causes of unethical and illegal behavior:
●
Ignorance: Ignorance of the law is no excuse; however, ignorance of policy and procedures is.
The first method of deterrence is education, which is accomplished by designing, publishing, and
disseminating an organization’s policies and relevant laws, and obtaining agreement to comply
with these policies and laws from all members of the organization. Reminders, training, and
awareness programs keep policy information in front of employees to support retention and
compliance.
●
Accident: People who have authorization and privileges to manage information within the
organization are most likely to cause harm or damage by accident. Careful planning and control
help prevent accidental modification to systems and data.
●
Intent: Criminal or unethical intent goes to the state of mind of the person performing the act; it
is often necessary to establish criminal intent to successfully prosecute offenders. Protecting a
system against those with intent to cause harm or damage is best accomplished by means of
technical controls, and vigorous litigation or prosecution if these controls fail
Key U.S. Federal Agencies
Several key U.S. federal agencies are charged with the protection of American information resources and
the investigation of threats or attacks against these resources. These organizations include the
Department of Homeland Security (DHS) and its subordinate agencies the U.S. Secret Service (USSS)
and US-CERT, the National Security Agency, the Federal Bureau of Investigation (FBI), and the FBI’s
InfraGard program.
Department of Homeland Security
The Department of Homeland Security (DHS, at www.dhs.gov) was created in 2003 by the
Homeland Security Act of 2002, which was passed in response to the events of September 11, 2001.
DHS is made up of five directorates, or divisions, through which it carries out its mission of protecting
American citizens as well as the physical and information assets of the United States. The Directorate of
Information and Infrastructure creates and enhances resources used to discover and respond to attacks
on national information systems and critical infrastructure. The Science and Technology Directorate is
responsible for research and development activities in support of domestic defense. This effort is guided
by an ongoing examination of vulnerabilities throughout the national infrastructure; the directorate
sponsors the emerging best practices developed to counter threats and weaknesses in the system.

Federal Bureau of Investigation (FBI)

The FBI is the primary U.S. law enforcement agency. As such, it investigates both traditional crimes and
cybercrimes, and works with the U.S. Attorney’s Office to prosecute suspects. To support the
Bureau’s change in mission and to meet newly articulated strategic priorities, Director
Mueller called for a reengineering of FBI structure and operations to closely focus the
Bureau on prevention of terrorist attacks, on countering foreign intelligence
operations against the U.S., and on addressing cybercrime-based attacks and other
high-technology crimes.

An Overview of Computer Security:

Computer security refers to protecting and securing computers and their related data,
networks, software, hardware from unauthorized access, misuse, theft, information
loss, and other security issues. The Internet has made our lives easier and has provided
us with lots of advantages but it has also put our system’s security at risk of being
infected by a virus, of being hacked, information theft, damage to the system, and
much more.
Three key objectives that are at the heart of computer security:
1. Confidentiality: Preserving authorized restrictions on information access and
disclosure, including means for protecting personal privacy and proprietary
information. A loss of confidentiality is the unauthorized disclosure of information. This
term covers two related concepts:

Data confidentiality: Assures that private or confidential information is not made

available or disclosed to unauthorized individuals.
Privacy: Assures that individuals control or influence what information related to them
may be collected and stored and by whom and to whom that information may be
disclosed.
2.Integrity: Guarding against improper information modification or destruction,
including ensuring information nonrepudiation and authenticity. A loss of integrity is
the unauthorized modification or destruction of information. This term covers two
related concepts:
Data integrity: Assures that information (both stored and in transmitted packets) and
programs are changed only in a specified and authorized manner.
System integrity: Assures that a system performs its intended function in an
unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of
the system.
3.Availability: Ensuring timely and reliable access to and use of information. A loss of
availability is the disruption of access to or use of information or an information system
.Assures that systems work promptly and service is not denied to authorized users.

Types of computer security

Computer security can be classified into four types:

1. Cyber Security: Cyber security means securing our computers, electronic devices,
networks, programs, systems from cyber-attacks. Cyber-attacks are those attacks that
happen when our system is connected to the Internet.
2. Information Security: Information security means protecting our system’s
information from theft, illegal use and piracy from unauthorized use. Information
security has mainly three objectives: confidentiality, integrity, and availability of
information.
3. Application Security: Application security means securing our applications and
data so that they don’t get hacked and also the databases of the applications remain
safe and private to the owner itself so that user’s data remains confidential.
4. Network Security: Network security means securing a network and protecting the
user’s information about who is connected through that network. Over the network
hackers steal, the packets of data through sniffing and spoofing attacks, man in the
middle attack, war driving, etc, and misuse the data for their benefits.

Types of cyber attack

1. Denial of service attack or DOS: A denial of service attack is a kind of cyber-
attack in which the attackers disrupt the services of the particular network by sending
infinite requests and temporary or permanently making the network or machine
resources unavailable to the intended audience.

2. Backdoor: In a backdoor attack, malware, Trojan horse or virus gets installed in

our system and start affecting it’s security along with the main file. Consider an
example: suppose you are installing free software from a certain website on the
Internet. Now, unknowingly, along with this software, a malicious file also gets
installed, and as soon as you execute the installed software that file’s malware gets
affected and starts affecting your computer security. This is known as a backdoor.

3.Eavesdropping: Eavesdropping refers to secretly listening to someone’s talk

without their permission or knowledge. Attackers try to steal, manipulate, modify, hack
information or systems by passively listening to network communication, knowing
passwords etc. A physical example would be, suppose if you are talking to another
person of your organization and if a third person listens to your private talks then he/
she is said to eavesdrop on your conversation. Similarly, your conversation on the
internet maybe eavesdropped by attackers listening to your private conversation by
connecting to your network if it is insecure.

4. Phishing: Phishing is pronounced as “fishing” and working functioning is also

similar. While fishing, we catch fish by luring them with bait. Similarly, in phishing, a
user is tricked by the attacker who gains the trust of the user or acts as if he is a
genuine person and then steals the information by ditching. Not only attackers but
some certain websites that seem to be genuine, but actually they are fraud sites. These
sites trick the users and they end up giving their personal information such as login
details or bank details or card number etc. Phishing is of many types: Voice phishing,
text phishing etc.

5. Spoofing: Spoofing is the act of masquerading as a valid entity through falsification

of data(such as an IP address or username), in order to gain access to information or
resources that one is otherwise unauthorized to obtain. Spoofing is of several types-
email spoofing, IP address spoofing, MAC spoofing , biometric spoofing etc.

6. Malware: Malware is made up of two terms: Malicious + Software = Malware.

Malware intrudes into the system and is designed to damage our computers. Different
types of malware are adware, spyware, ransom ware, Trojan horse, etc.

7. Social engineering: Social engineering attack involves manipulating users

psychologically and extracting confidential or sensitive data from them by gaining
their trust. The attacker generally exploits the trust of people or users by relying on
their cognitive basis.

8. Polymorphic Attacks: Poly means “many” and morph means “form”, polymorphic
attacks are those in which attacker adopts multiple forms and changes them so that
they are not recognized easily. These kinds of attacks are difficult to detect due to their
changing forms.

Steps to ensure computer security

In order to protect our system from the above-mentioned attacks, users should take
certain steps to ensure system security:

1. Always keep your Operating System up to date. Keeping it up to date reduces the
risk of their getting attacked by malware, viruses, etc.

2. Always use a secure network connection. One should always connect to a secure
network. Public wi-fi’s and unsecured networks should be avoided as they are at risk of
being attacked by the attacker.

3. Always install an Antivirus and keep it up to date. An antivirus is software that scans
your PC against viruses and isolates the infected file from other system files so that
they don’t get affected. Also, we should try to go for paid anti-viruses as they are more
secure.

4. Enable firewall. A firewall is a system designed to prevent unauthorized access

to/from a computer or even to a private network of computers. A firewall can be either
in hardware, software or a combination of both.
5. Use strong passwords. Always make strong passwords and different passwords for
all social media accounts so that they cannot be key logged, brute forced or detected
easily using dictionary attacks. A strong password is one that has 16 characters which
are a combination of upper case and lower case alphabets, numbers and special
characters. Also, keep changing your passwords regularly.

6. Don’t trust someone easily. You never know someone’s intention, so don’t trust
someone easily and end up giving your personal information to them. You don’t know
how they are going to use your information.

7. Keep your personal information hidden. Don’t post all your personal information on
social media. You never know who is spying on you. As in the real world, we try to
avoid talking to strangers and sharing anything with them. Similarly, social media also
have people whom you don’t know and if you share all your information on it you may
end up troubling yourself.

8. Don’t download attachments that come along with e-mails unless and until you know
that e-mail is from a genuine source. Mostly, these attachments contain malware
which, upon execution infect or harms your system.

9. Don’t purchase things online from anywhere. Make sure whenever you are shopping
online you are doing so from a well-known website. There are multiple fraud websites
that may steal your card information as soon as you checkout and you may get
bankrupt by them.

10. Learn about computer security and ethics. You should be well aware of the safe
computing and ethics of the computing world. Gaining appropriate knowledge is
always helpful in reducing cyber-crime.

11. If you are attacked, immediately inform the cyber cell so that they may take
appropriate action and also protect others from getting attacked by the same person.
Don’t hesitate to complain just because you think people may make your fun.

12. Don’t use pirated content. Often, people try to download pirated movies, videos or
web series in order to get them for free. These pirated content are at major risk of
being infected with viruses, worms, or malware, and when you download them you end
up compromising your system security.

Access Control Matrix:

An Access Matrix is a digital model utilized to control and manage permissions.
This model defines the rights each user has for different resources. In simple terms, it’s
a table that shows what actions an individual or a group of users can perform on
specific objects within a system.

It represents the access control mechanism that specifies which actions (e.g., read,
write, execute) are allowed or denied for each subject on each object.

Different Types of Rights

There are different types of rights the files can have. The most common ones are:

 Read- This is a right given to a process in a domain that allows it to read the
file.
 Write- Process in the domain can be written into the file.
 Execute- The process in the domain can execute the file.
 Print- Process in the domain only has access to a printer.
Sometimes, domains can have more than one right, i.e. combination of rights
mentioned above.

Let us now understand how an access matrix works from the example given below.

F1 F2 F3 Printer
D1 read read
D2 Print
D3 read execute
D4 read read D4
write write

Observations of Above Matrix

There are four domains and four objects– three files (F1, F2, and F3) and one printer.
 A process executing in D1 can read files F1 and F3.
 A process executing in domain D4 has same rights as D1 but it can also write on
files.
 Printer can be accessed by only one process executing in domain D2.
 A process executing in domain D3 has the right to read file F2 and execute file
F3.
Mechanism of Access Matrix
The mechanism of access matrix consists of many policies and semantic
properties. Specifically, we must ensure that a process executing in domain Di can
access only those objects that are specified in row i. Policies of access matrix
concerning protection involve which rights should be included in the (i, j)th entry. We
must also decide the domain in which each process executes. This policy is usually
decided by the operating system. The users decide the contents of the access-matrix
entries. Association between the domain and processes can be either static or dynamic.
Access matrix provides a mechanism for defining the control for this association
between domain and processes.

Switch operation: When we switch a process from one domain to another, we execute
a switch operation on an object (the domain). We can control domain switching by
including domains among the objects of the access matrix. Processes should be able to
switch from one domain (Di) to another domain (Dj) if and only if a switch right is given
to access (i, j). This is explained using an example below:
F1 F2 F3 Printe D1 D2 D3 D4
r
D1 Read read switch
D2 Print switch switch
D3 read execute
D4 read read switch D4 read
write write write

According to the above matrix, a process executing in domain D2 can switch to domain
D3 and D4. A process executing in domain D4 can switch to domain D1 and process
executing in domain D1 can switch to domain D2.
Policy/Policies:
WE have to follow certain policies for securing data and information. Those policies are
1. Security Policies
2. Confidentiality Policies
3. Integrity Policies
4. Hybrid Policies
1. Security Policies
A security policy is a written document that outlines an organization's rules,
expectations, and approach for protecting its systems, information, and people:

Purpose
A security policy defines how an organization will maintain the confidentiality,
integrity, and availability of its data. It also protects employees and the organization as
a whole.

A security policy includes:

An acceptable use policy that explains how employees should protect the company's assets
A procedure for evaluating the policy's effectiveness
A description of how security measurements will be enforced.

Types of Security Policies

1. Program policies: These are the highest-level policies that set the tone for the entire information
security program.
2. Issue-specific policies: These policies address specific issues, such as email privacy.
3. Technical security policies: These policies describe the configuration of technology for convenient
use.
4. Administrative security policies: These policies address how people should behave.
5. Network security policies: These policies prevent unauthorized users from accessing computer
networks and devices.
6. Incident response plans: These policies detail the procedures for reporting and responding to data
breaches
7. An organizational security policy describes the whole organization’s security objectives and its
commitment to information security. It can be thought of as the primary document from which other
security policies are derived. Also, it often informs the organization’s compliance goals.
8. System-specific security policies focus on the information security policies of particular systems.
For example, policies for customer-facing applications, payroll systems, or data archive systems.
They typically articulate security objectives and the operational security rules intended to support
them.
Key elements of a security policy
An effective security policy should contain the following elements:

Clear purpose and objectives.

This is especially important for program policies. Remember that many employees have little
knowledge of security threats, and may view any type of security control as a burden. A clear
mission statement or purpose spelled out at the top level of a security policy should help the entire
organization understand the importance of information security.
Scope and applicability.
Every security policy, regardless of type, should include a scope or statement of applicability that
clearly states to who the policy applies. This can be based around the geographic region, business
unit, job role, or any other organizational concept so long as it's properly defined.
Commitment from senior management.
Security policies are meant to communicate intent from senior management, ideally at the C-suite or
board level. Without buy-in from this level of leadership, any security program is likely to fail. To
succeed, your policies need to be communicated to employees, updated regularly, and enforced
consistently. A lack of management support makes all of this difficult if not impossible.
Realistic and enforceable policies.
While it might be tempting to base your security policy on a model of perfection, you must remember
that your employees live in the real world. An overly burdensome policy isn’t likely to be widely
adopted. Likewise, a policy with no mechanism for enforcement could easily be ignored by a
significant number of employees.
Clear definitions of important terms
Remember that the audience for a security policy is often non-technical. Concise and jargon-free
language is important, and any technical terms in the document should be clearly defined.
Clarke Wilson Security Model
This Model is a highly secure model.it has following entities.

Users.
It all starts with users, otherwise known as the subjects. The subjects which will access the
objects. Users are the ones that need the information. I think the books call users the “active
agents”.
Transformation Procedures (TPs)
Then we have Transformation Procedures. Think of them as operations the subject is trying
to perform.
Constrained Data Items (CDIs)
There’s Constrained Data Items and Unconstrained Data Items.
Objects which belong in the subset of Constrained Data Items are at a higher level of
protection.
In a Clark-Wilson Model, there are two types of protections given to data items, constrained
and unconstrained.
In order to read an object located in the Constrained Data Items subset, we have to go
through a transformation procedure.
Constrained Data Items can only be manipulated by a Transformation Procedure.
Objects within a Constrained Data Items are so valuable, that in a Clark-Wilson model, a
subject has to go through an intermediary to even just access it.
Unconstrained Data Items (UDIs)
Now objects in an Unconstrained Data Item subset, well they probably aren’t that important.
These can be accessed by the subject directly, it doesn’t need to go through an intermediary
like a Transformation Procedure.
The subject can perform their own read and write operations without going through a
Transformation Procedure.
Subjects access objects in a UDI like how they would normally access an object in a
networked environment, as if they weren't using a Clark-Wilson Model. Like how we access
files or objects in Windows operating systems.
Confidentiality Policy:
A confidentiality policy is a set of guidelines that establishes how to handle and protect
sensitive information. It's an important part of an organization's activities, and it helps to
prevent the risks of confidential data leakage.
Three main categories of confidential information exist: business, employee and
management information.

The general statement of the requirement for multilevel security is that a subject (e.g
military-field marshal –the highest rank) at a high level may not convey information to a
subject at a lower(e.g. subedar) or incompatible level unless that flow accurately reflects the
will of an authorized user.

Types of confidentiality

Accountant confidentiality

Accountants work with confidential information and must be professional and trustworthy.

Equitable confidentiality

This doctrine protects confidential information that one party provides to another, with the
expectation that the information will not be disclosed or used without authorization.

Data confidentiality

This refers to protecting data from unauthorized access or disclosure, including personal
privacy and proprietary information.

Bell-LaPadula Model:
The BLP Security Model is

• A computer system is modeled as a state-transition system there is a set of subjects; some are
designated as trusted.
– Each state has objects, an access matrix, and the current access information.
– There are state transition rules describing how a system can go from one state to another
– Each subject s has a maximal security level Lm(s), and a current security level Lc(s)
– Each object has a classification level
• There are security classifications or security levels
– Users/principals/subjects have security clearances
– Objects have security classifications
It also supports discretionary access control by checking access rights from an access matrix. The Bell-
LaPadula model is defined by the following properties:
Simple security property (ss property)
—This property states that a subject at one level of confidentiality is not allowed to read information at a
higher level of confidentiality. This is sometimes referred to as ―no read up. ‖ A person in one
classification level, cannot read data in a higher classification level. If you have a Secret clearance, then
you cannot read objects with a label of Top Secret. This is also known as No Read Up.

Star * security property—This property states that a subject at one level of confidentiality is not
allowed to write information to a lower level of confidentiality. This is also known as ―no write down.‖
A person in a higher classification level cannot write messages to someone in a lower classification level.
If you have a clearance of Top Secret, then you cannot write messages to someone with a Secret
clearance. This is known as No Write Down.
The Discretionary Security Property (ds-property) - An individual (or role) may grant to another
individual (or role) access to a document based on the owner‘s discretion, constrained by the MAC rules.

INTEGRITY POLICIES
Integrity refers to the trustworthiness of data or resources. Integrity is usually defined in terms
of preventing improper or authorized change to data.
There are three main policies of integrity:
 preventing unauthorized users from making modifications to data or programs.
 Preventing authorized users from making improper or unauthorized modifications.
 Maintaining internal and external consistency of data and programs.
Integrity Levels Integrity levels are defined by labels, consisting of two parts:
 a classification
 a set of categories.
Integrity levels are given to the subjects and objects in the system. Integrity labels tell the degree of
confidence that may be placed in the data.
Classification of Integrity
A classification is an element of hierarchical set of elements. It consists of these elements:
 Crucial (c)
 Very Important (VI)
 Important (I)
The relationship of elements is:
C > VI > I
Each integrity level will be represented as L = (C, S)
where:
L is the integrity level
C is the classification
S is the set of categories.
BIBA MODEL
The Biba integrity model was published in 1977 at the Mitre Corporation, one year after the Bell La-
Padula model was published.
The primary motivation for creating this model is the inability of the Bell-LaPadula model to deal with
integrity of data.
The Biba model addresses the problem with the star property of the Bell-LaPadula model, which does
not restrict a subject from writing to a more trusted object. The Biba model on the other hand ignores
confidentiality all together and deals only with integrity. So, the main goal of the Biba model is to
prevent unauthorized users from making modifications to a particular document.
Subjects and Objects
Like other models, the Biba model supports the access control of both subjects and objects.
 Subjects are the active elements in the system that can access information (processes acting on
behalf of the users).
 Objects are the passive system elements for which access can be requested (files, programs,
etc.).
Each subject and object in the Biba model will have a integrity level associated with it. Access Modes The
Biba model consists of the following access modes:
Modify: the modify right allows a subject to write to an object. This mode is similar to the write mode in
other models.
Observe: the observe right allows a subject to read an object. This command is synonyms with the read
command of most other models.
Invoke: the invoke right allows a subject to communicate with another subject.
Execute: the execute right allows a subject to execute an object. The command essentially allows a
subject to execute a program which is the object.

Hybrid Policies:
A hybrid work policy is a written document that outlines how a company balances
remote and in-person work. It can help with recruiting, building company culture, and
running a more efficient business.
A hybrid work policy can include:
 Guidelines: How, when, and where employees work
 Expectations: In-office expectations, remote work options, and working hours
 Best practices: Collaboration and communication best practices, processes, and
tools
 Technology: Technology, equipment, and office access guidelines and resources
 Safety: Workplace safety procedures and security and compliance regulations
 Contact details: Contact details for follow-up questions related to the policy
Benefits of hybrid work include:
 Collaboration
 Innovation
 Building culture
 Quiet
 Lack of commuting