Najeeb Ur Rehman

CS324 Information
Security
Introduction to Information Security

Principles of Information Security, Chapter 1 Introduction to Information Security

Introduction
• Information security: a “well-informed sense of assurance that
the information risks and controls are in balance.” — Jim
Anderson, Inovant (2002)
• Security professionals must review the origins of this field to
understand its impact on our understanding of information
security today

2
The History of Information
Security
• Began immediately following development first
mainframes
• Developed for code-breaking computations
• During World War II
• Multiple levels of security were implemented
• Physical controls
• Rudimentary
• Defending against physical theft, espionage, and
sabotage

3
The 1960s
• Original communication by mailing tapes
• Advanced Research Project Agency (ARPA)
• Examined feasibility of redundant networked
communications
• Larry Roberts developed ARPANET from its inception
• Plan
• Link computers
• Resource sharing
• Link 17 Computer Research Centers
• Cost 3.4M
• ARPANET is predecessor to the Internet 4
The 1970s and 80s
• ARPANET grew in popularity
• Potential for misuse grew
• Fundamental problems with ARPANET security
• Individual remote sites were not secure from unauthorized users
• Vulnerability of password structure and formats
• No safety procedures for dial-up connections to ARPANET
• Non-existent user identification and authorization to system

5
The 1970s and 80s (cont’d.)
• Rand Report R-609
• Paper that started the study of computer security
• Information Security as we know it began
• Scope of computer security grew from physical security to
include:
• Safety of data
• Limiting unauthorized access to data
• Involvement of personnel from multiple levels of an organization

6
MULTICS
• Early focus of computer security research
• System called Multiplexed Information and Computing Service
(MULTICS)
• First operating system created with security as its primary goal
• Mainframe, time-sharing OS developed in mid-1960s
• GE, Bell Labs, and MIX
• Several MULTICS key players created UNIX
• Late 1970s
• Microprocessor expanded computing capabilities
• Mainframe presence reduced
• Expanded security threats
7
The 1990s
• Networks of computers became more common
• Need to interconnect networks
• Internet became first manifestation of a global network of
networks
• Initially based on de facto standards
• In early Internet deployments, security was treated as a low
priority

8
2000 to Present
• Millions of computer networks communicate
• Many of the communication unsecured
• Ability to secure a computer’s data influenced by the security
of every computer to which it is connected
• Growing threat of cyber attacks has increased the need for
improved security

9
What is Security?
• “The quality or state of being secure—to be free from danger”
• A successful organization should have multiple layers of
security in place:
• Physical security
• Personal security
• Operations security
• Communications security
• Network security
• Information security

10
What is Security? (cont’d.)
• The protection of information and its critical elements,
including systems and hardware that use, store, and
transmit that information
• Necessary tools: policy, awareness, training, education,
technology
• C.I.A. triangle
• Was standard based on confidentiality, integrity, and
availability
• Now expanded into list of critical characteristics of
information
11
Figure 1-3 Components of Information Security 12
 Information Security 13
That which protects the integrity, confidentiality, and availability of information on the devices
that store, manipulate, and transmit the information through products, people, and procedures
Key Information Security
Concepts
• Access • Protection Profile or Security
• Asset Posture
• Attack • Risk
• Control, Safeguard, or • Subjects and Objects
Countermeasure • Threat
• Exploit • Threat Agent
• Exposure • Vulnerability
• Loss

14
Key Information Security Concepts (cont’d.)

• Computer can be subject of

an attack
• Computer can be the
object of an attack
• When the subject of an
attack
• Computer is used as
an active tool to
conduct attack
• When the object of an
attack
• Computer is the
entity being attacked
17
Figure 1-5 – Subject and Object of
Attack

Figure 1-5 Computer as the Subject and Object of an Attack

18
Who Are the Attackers?
• The types of people
behind computer attacks
are generally divided
into several categories
• These include
• Hackers
• script kiddies
• Spies
• Employees
• cybercriminals, and
• cyberterrorists
19
 Hackers
• Hacker
• Generic sense: anyone who
illegally breaks into or
attempts to break into a
computer system
• Narrow sense: a person who
uses advanced computer skills
to attack computers only to
expose security flaws
• Although breaking into another
person’s computer system is
illegal
• Some hackers believe it is
ethical as long as they do not
commit theft, vandalism, or 20
breach any confidentiality
Script Kiddies
• Script kiddies
• Want to break into computers
to create damage
• Unskilled users
• Download automated hacking
software (scripts) from Web
sites and use it to break into
computers
• They are sometimes considered
more dangerous than hackers
• Script kiddies tend to be
computer users who have
almost unlimited amounts of
leisure time, which they can
use to attack systems
21
Spies
• Computer spy
• A person who has been hired to break into a computer and steal
information
• Spies are hired to attack a specific computer or system that contains

22
sensitive information
• Their goal is to break into that computer or system and take the
information without drawing any attention to their actions
• Spies, like hackers, possess excellent computer skills
Employees
• One of the largest information security threats to a business
actually comes from its employees
• Reasons
• An employee might want to show the company a weakness in their

23
security
• Disgruntled employees may be intent on retaliating against the
company
• Industrial espionage
• Blackmailing
Cybercriminals
• Cybercriminals
• A loose-knit network of attackers, identity thieves, and financial
fraudsters
• More highly motivated, less risk-averse, better funded, and more

24
tenacious than hackers
• Many security experts believe that cybercriminals belong to
organized gangs of young and mostly Eastern European attackers
• Cybercriminals have a more focused goal that can be summed up in
a single word: money
Hackers … Reading Task1
1. White Hat Hackers Others
2. Black Hat Hackers • State/Nation Sponsored
3. Gray Hat Hackers Hackers
4. Green Hat Hackers • Hacktivist
5. Blue Hat Hackers • Malicious Insider or
6. Red Hat Hackers Whistleblower

25
Critical Characteristics of
Information
• The value of information comes from the characteristics it
possesses:
• Availability
• Accuracy
• Authenticity
• Confidentiality
• Integrity
• Utility
• Possession

26
A more general security model
• CNSS Security Model
• Also known as the McCumber Cube
• Provides a more detailed perspective on security

27
• Covers the three dimensions of information security
• Document available at
http://www.cnss.gov/Assets/pdf/nstissi_4011.pdf

Management of Information Security, 3rd Edition

CNSS Security Model

Figure 1-6 The McCumber Cube 28

3-dimensional CNSS, or Committee on National Security Systems,

CNSS Security Model

29
Figure 1-1 Components of Information security

Management of Information Security, 3rd Edition Source: Course Technology/Cengage Learning

Attacks and Defenses
• Although there are a wide variety of attacks that can be launched
against a computer or network
• The same basic steps are used in most attacks
• Protecting computers against these steps in an attack calls for five

30
fundamental security principles
Steps of an Attack
• The five steps that make up an attack
i. Probe for information
ii. Penetrate any defenses
iii. Modify security settings

31
iv. Circulate to other systems
v. Paralyze networks and devices
Defenses against Attacks
• Although multiple defenses may be necessary to withstand an
attack
• These defenses should be based on five fundamental security
principles:
•

33
Protecting systems by layering
• Limiting
• Diversity
• Obscurity
• Simplicity
• Layering: Provides the most comprehensive protection.
Instead of one security defense you have multiple defenses. If
one of the defenses is broke the attacker must then penetrate
the next layer of defense. More layers add more security, but
is limited to the vulnerability of each defense.
• Limiting: People should only be authorized to the information
they need for doing a task. Access must be restricted to a
minimum.
• Diversity: Closely related to layering, if you are using layers of
security you must use different types of security for each layer.
Attacker must use different techniques to attack each layer.
• Obscurity: Making it more difficult for an outsider to recognize
what is going on inside.
• Simplicity: Making a security system harder to use may make
the users lazy and create bypasses. Also if security is complex 34
to set up then it creates more work for the security
professional and they may miss a vulnerability.
Components of an Information System

• Information system (IS) is

entire set of components
necessary to use
information as a resource
in the organization
• Software
• Hardware
• Data
• People
• Procedures
• Networks 35
Balancing Information Security
and Access
• Impossible to obtain perfect security
• Process, not an absolute
• Security should be considered balance between
protection and availability
• Must allow reasonable access, yet protect
against threats

36
Figure 1-6 – Balancing Security
and Access

Figure 1-8 Balancing Information Security and Access 37

Approaches to Information Security Implementation:
Bottom-Up Approach

• Grassroots effort -systems administrators drive

• Key advantage: technical expertise of individual
administrators
• Seldom works
• Lacks number of critical features:
• Participant support
• Organizational staying power
38
Approaches to Information Security
Implementation: Top-Down Approach
• Initiated by upper
management
• Issue policy, procedures, and
processes
• Dictate goals and expected
outcomes of project
• Determine accountability for
each required action
• Most successful
• Involves formal development
strategy
• Systems development life cycle 39
Figure 1-9 Approaches to Information Security Implementation 40
Security Professionals and the
Organization
• Wide range of professionals required to support a
diverse information security program
• Senior management is key component
• Additional administrative support and technical expertise
are required to implement details of IS program

41
Senior Management
• Chief Information Officer (CIO)
• Senior technology officer
• Primarily responsible for advising senior executives on
strategic planning
• Chief Information Security Officer (CISO)
• Primarily responsible for assessment, management,
and implementation of IS in the organization
• Usually reports directly to the CIO

42
Information Security Project
Team
• A number of individuals who are experienced in one or
more facets of required technical and nontechnical
areas:
• Champion
• Team leader
• Security policy developers
• Risk assessment specialists
• Security professionals
• Systems administrators
• End users
43
Data Responsibilities
• Data owner: responsible for the security and use of a
particular set of information
• Data custodian: responsible for storage, maintenance,
and protection of information
• Data users: end users who work with information to
perform their daily jobs supporting the mission of the
organization

44
Communities of Interest
• Group of individuals united by similar interests/values
within an organization
• Information security management and professionals
• Information technology management and
professionals
• Organizational management and professionals

45
The Systems Development Life
Cycle
• Systems Development Life Cycle (SDLC):
• Methodology for design and implementation of
information system
• Methodology:
• Formal approach to problem solving
• Based on structured sequence of procedures
• Using a methodology:
• Ensures a rigorous process
• Increases probability of success
• Traditional SDLC consists of six general phases 46
Figure 1-10 SDLC Waterfall Methodology 47
Investigation
• What problem is the system being developed to
solve?
• Objectives, constraints, and scope of project
specified
• Preliminary cost-benefit analysis developed
• At end
• Feasibility analysis performed
• Assess economic, technical, and behavioural
feasibilities
48
Analysis
• Consists of assessments of:
• The organization
• Current systems
• Capability to support proposed systems
• Determine what new system is expected to do
• Determine how it will interact with existing systems
• Ends with documentation

49
Logical Design
• Main factor is business need
• Applications capable of providing needed services are
selected
• Necessary data support and structures identified
• Technologies to implement physical solution determined
• Feasibility analysis performed at the end

50
Physical Design
• Technologies to support the alternatives identified and
evaluated in the logical design are selected
• Components evaluated on make-or-buy decision
• Feasibility analysis performed
• Entire solution presented to end-user representatives for
approval

51
Implementation
• Needed software
created
• Components ordered,
received, and tested
• Users trained and
documentation created
• Feasibility analysis
prepared
• Users presented with
system for
performance review
and acceptance test
52
Maintenance and Change
• Longest and most expensive phase
• Tasks necessary to support and modify system
• Last for product useful life
• Life cycle continues
• Process begins again from the investigation phase
• When current system can no longer support the
organization’s mission, a new project is implemented

53
The Security Systems
Development Life Cycle
• The same phases used in traditional SDLC
• Need to adapted to support implementation of an IS
project
• Identify specific threats and creating controls to counter
them
• SecSDLC is a coherent program not series of random,
seemingly unconnected actions

54
Investigation
• Identifies process, outcomes, goals, and constraints of
the project
• Begins with Enterprise Information Security Policy (EISP)
• Organizational feasibility analysis is performed

55
Analysis
• Documents from investigation phase are studied
• Analysis of existing security policies or programs
• Analysis of documented current threats and associated
controls
• Analysis of relevant legal issues that could impact design
of the security solution
• Risk management task begins

56
Logical Design
• Creates and develops blueprints for information security
• Incident response actions planned:
• Continuity planning
• Incident response
• Disaster recovery
• Feasibility analysis to determine whether project should
be continued or outsourced

57
Physical Design
• Needed security technology is evaluated
• Alternatives are generated
• Final design is selected
• At end of phase, feasibility study determines readiness of
organization for project

58
Implementation
• Security solutions are acquired, tested, implemented,
and tested again
• Personnel issues evaluated; specific training and
education programs conducted
• Entire tested package is presented to management for
final approval

59
Maintenance and Change
• Perhaps the most important phase, given the ever-
changing threat environment
• Often, repairing damage and restoring information is a
constant duel with an unseen adversary
• Information security profile of an organization requires
constant adaptation as new threats emerge and old
threats evolve

60
Information Security: Is it an
Art or a Science?
• Implementation of information security often described
as combination of art and science
• “Security artisan” idea: based on the way individuals
perceive systems technologists since computers became
commonplace

61
Security as Art
• No hard and fast rules nor many universally accepted
complete solutions
• No manual for implementing security through entire
system

62
Security as Science
• Dealing with technology designed to operate at high
levels of performance
• Specific conditions cause virtually all actions that occur in
computer systems
• Nearly every fault, security hole, and systems
malfunction are a result of interaction of specific
hardware and software
• If developers had sufficient time, they could resolve and
eliminate faults

63
Security as a Social Science
• Social science examines the behaviour of individuals
interacting with systems
• Security begins and ends with the people that interact
with the system
• Security administrators can greatly reduce levels of risk
caused by end users, and create more acceptable and
supportable security profiles

64
Self Reading
Supplementary
66
Vulnerabilities

67
69
Solving Problems
• Step 1: Recognize and define the problem
• Step 2: Gather facts and make assumptions
• Step 3: Develop possible solutions
• Step 4: Analyze and compare possible solutions
• Step 5: Select, implement, and evaluate a solution

70
Q: Where is the feedback loop?

Management of Information Security, 3rd Edition

Principles of Information
Security Management
• The extended characteristics of information security are known as
the six P’s
• Planning
• Policy
• Programs

71
• Protection
• People
• Project Management

Management of Information Security, 3rd Edition

Planning
• Planning as part of InfoSec management
• An extension of the basic planning model discussed earlier in this
chapter
• Included in the InfoSec planning model
• Activities necessary to support the design, creation, and implementation

72
of information security strategies

Management of Information Security, 3rd Edition

Planning (cont’d.)
• Types of InfoSec plans
• Incident response planning
• Business continuity planning
• Disaster recovery planning
• Policy planning
• Personnel planning

73
• Technology rollout planning
• Risk management planning
• Security program planning
• includes education, training and awareness

Management of Information Security, 3rd Edition

Policy
The set of organizational guidelines that dictates certain behavior
within the organization
• Three general categories of policy
• Enterprise information security policy (EISP)
• Issue-specific security policy (ISSP)
• System-specific policies (SysSPs)

74
Management of Information Security, 3rd Edition
Programs
InfoSec operations that are specifically managed as separate entities
• Example: a security education training and awareness (SETA) program
• Other types of programs
• Physical security program
• complete with fire, physical access, gates, guards, etc.
• The National Institute of Standards and Technology has published guidelines for information technology
security training requirements, which may be found on the Web at:

75
http://csrc.nist.gov/groups/SMA/ate/index.html

Management of Information Security, 3rd Edition

Protection
• Executed through risk management activities
• Including risk assessment and control, protection mechanisms,
technologies, and tools
• Each of these mechanisms represents some aspect of the management
of specific controls in the overall information security plan

76
Management of Information Security, 3rd Edition
People
• The most critical link in the information security program
• Managers must recognize the crucial role that people play in the
information security program
• This area of InfoSec includes security personnel and the security of
personnel, as well as aspects of a SETA program

77
Management of Information Security, 3rd Edition
Project Management
• Identifying and controlling the resources applied to the project
• Measuring progress
• Adjusting the process as progress is made

78
Management of Information Security, 3rd Edition
Project Management (cont’d.)
• Information security is a process, not a project
• Each element of an information security program must be managed as a
project
• A continuous series, or chain, of projects
• Some aspects of information security are not project-based
• They are managed processes (operations)

79
Management of Information Security, 3rd Edition
 Project Management (cont’d.)

80
Figure 1-4 The information security program chain

Management of Information Security, 3rd Edition Source: Course Technology/Cengage Learning

Project Management (cont’d.)
• Project Management
• The application of knowledge, skills, tools, and techniques to project
activities to meet project requirements
• Accomplished through the use of processes
• Such as initiating, planning, executing, controlling, and closing
• Involves the temporary assemblage resources to complete a project

81
• Some projects are iterative, occurring regularly

Management of Information Security, 3rd Edition