Information Security – Unit I

Introduction: History, Critical Characteristics of Information, NSTISSC Security Model,

Components of an Information System, Securing the Components, Balancing Security
and Access, The SDLC, The Security SDLC.
Need for Security: Business Needs, Threats, Attacks, and Secure Software
Development

History of Information Security:

World War II (1940s): The need for security emerged with the use of mainframes for
cryptographic computations in code-breaking. Security focused on physical access
restrictions using badges, keys, and security guards.

1960s: The U.S. Department of Defense's ARPANET (predecessor to the internet) was
developed, highlighting the need for securing remote communications. Initial security
concerns included unauthorized access and lack of authentication mechanisms.

1970s & 1980s: The rise of networking increased security challenges. The Rand Report
R-609 (1967) was a landmark document recognizing security as a managerial issue,
not just a technical one. Research on secure operating systems, such as MULTICS, laid
the groundwork for modern security principles.

1990s: The explosion of personal computers and the internet introduced new threats
like viruses, hacking, and data breaches. Governments and corporations started
investing heavily in cybersecurity policies and tools.

2000s - Present: Cybersecurity became a critical global issue with the rise of
sophisticated cyberattacks, identity theft, and data privacy concerns. New
technologies like encryption, firewalls, and AI-driven security measures were
developed to combat growing threats.

Critical Characteristics of Information: (CIAAAUP)

The critical characteristics of information, also known as the expanded C.I.A.
(Confidentiality,Integrity, Availability) triangle, define the properties that make
information valuable.

1. Confidentiality
 Ensures that sensitive information is accessible only to authorized individuals or
systems.
  Prevents unauthorized disclosure that could lead to data breaches, identity
theft, or espionage.
 Achieved through encryption, access controls, authentication mechanisms, and
data classification.
 Example: A company storing customer payment details ensures confidentiality
by encrypting credit card information and restricting access to authorized
employees.

2. Integrity
 Ensures that information remains accurate, consistent, and unaltered unless
modified by authorized individuals.
 Protects against data corruption, unauthorized changes, and malicious
tampering.
 Achieved through hash functions, checksums, digital signatures, and version
control mechanisms.
 Example: A bank maintains integrity by using cryptographic hashing to verify
that transaction data has not been tampered with.

3. Availability
 Ensures that authorized users can access information whenever needed without
unnecessary delays.
 Threats to availability include denial-of-service (DoS) attacks, hardware failures,
and natural disasters.
 Achieved through redundancy (e.g., backup systems, failover mechanisms),
disaster recovery plans, and cybersecurity defenses.
 Example: Cloud services implement high-availability architectures with multiple
data centers to ensure uptime even if one server fails.

4. Accuracy
 Ensures that information is precise and correct, without any errors introduced by
processing or transmission.
 Prevents misinformation and faulty decision-making caused by incorrect data.
 Achieved through data validation, error-checking algorithms, and reconciliation
processes.
 Example: A healthcare system ensures patient records are accurate by
implementing strict data validation and audit trails.

5. Authenticity
 Ensures that the information is genuine and originates from a verified source.
 Prevents identity fraud, phishing, and spoofing attacks.
 Achieved through authentication mechanisms such as multi-factor
authentication (MFA), digital certificates, and blockchain technology.
 Example: An online banking website verifies authenticity by using HTTPS
encryption and digital certificates to confirm the legitimacy of transactions.

6. Utility
  Ensures that information is usable, accessible, and meaningful to authorized
users.
 Data should be in a format that serves its intended purpose effectively.
 Achieved through proper data formatting, indexing, and compatibility with
software applications.
 Example: A database storing financial records ensures utility by using
standardized formats like CSV or JSON, allowing easy data processing and
analysis.

7. Possession (or Control)

 Ensures that information is controlled by authorized individuals or organizations.
 Prevents unauthorized access, theft, or leaks by cybercriminals or insiders.
 Achieved through strict access control policies, digital rights management
(DRM), and legal ownership agreements.
 Example: A company handling trade secrets maintains possession by restricting
access to classified documents through role-based access control (RBAC).

These characteristics collectively form the foundation of robust information security

strategies, ensuring data remains secure, accurate, and accessible when needed. Let
me know if you need more details or examples!

NSTISSC Security Model:

The NSTISSC Security Model, also known as the McCumber Cube, was developed
by John McCumber in 1991 to provide a structured approach to understanding
information security. The model was later adopted by the National Security
Telecommunications and Information Systems Security Committee
(NSTISSC), now known as the Committee on National Security Systems (CNSS).

Structure of the McCumber Cube

The McCumber Cube is a three-dimensional model representing different aspects
of information security. It consists of three axes, each addressing a critical element
of security:

1. Security Goals (CIA Triad)

This axis represents the fundamental security properties:
 Confidentiality – Protecting information from unauthorized access.
 Integrity – Ensuring that information is accurate and unaltered.
  Availability – Ensuring authorized users have timely access to data.

2. Information States
This axis represents the different states in which information exists:
 Storage – Information at rest, such as in databases and files.
 Processing – Information being used or manipulated by systems.
 Transmission – Information in transit across networks.

3. Security Safeguards
This axis represents the means by which security is implemented:
 Technology – Using tools like firewalls, encryption, and intrusion detection
systems.
 Policy and Practices – Establishing rules, laws, and security policies to guide
behavior.
 Education and Awareness – Training users and administrators on security
best practices.

Application of the Model

To secure an information system, each of the 27 intersections (3x3x3) in the cube
must be addressed.
For example:
 Confidentiality + Storage + Technology → Encrypting stored data.
 Integrity + Processing + Policy → Implementing strong data validation rules.
 Availability + Transmission + Education → Training employees to recognize
phishing threats.

Advantages of the NSTISSC Security Model

 Comprehensive – Covers all aspects of information security, not just technical
controls.
 Flexible – Can be applied to any organization, system, or security scenario.
 Holistic Approach – Ensures security is not limited to one domain (e.g., just
technology).

The McCumber Cube is a foundational model in cybersecurity, offering a structured

way to approach security. It highlights the need for a balance between technical
measures, policies, and education to ensure robust security across all information
states.

Components of Information System:

An Information System (IS) is composed of multiple components that work together to
collect, process, store, and distribute information. These components are essential for
any organization to function efficiently and securely. The six major components of an
information system are:
1. Hardware
 Definition: The physical technology that executes software, processes data,
and enables communication within the system.
 Examples: Servers, computers, storage devices, networking equipment,
input/output devices (e.g., keyboards, monitors, printers).
 Security Concerns: Unauthorized access, physical theft, hardware failures, and
environmental damage (e.g., overheating, water damage).
 Protection Measures: Access control systems, biometric authentication,
physical locks, environmental monitoring, and redundancy for failover protection
.

2. Software
 Definition: The collection of programs and applications that run on hardware,
enabling the system to function.
 Types:
o Operating Systems (OS): Manage hardware resources (e.g., Windows,
Linux, macOS).
o Application Software: Used for specific tasks (e.g., word processors,
accounting software).
o Security Software: Protects the system (e.g., antivirus, firewalls).
 Security Concerns: Software vulnerabilities, malware, unauthorized
modifications, and outdated patches.
 Protection Measures: Regular updates, secure coding practices, vulnerability
assessments, and intrusion detection systems.

3. Data
 Definition: The raw facts and figures that are processed to generate
meaningful information.
 Examples: Customer records, transaction logs, employee details, research
data.
 Security Concerns: Data breaches, unauthorized access, data corruption, and
loss.
 Protection Measures: Encryption, backup policies, access control, and data
integrity checks.
4. People
 Definition: The users who interact with the information system, from end-users
to IT professionals.
 Roles:
o End-users: Employees or customers using the system.
o IT Personnel: System administrators, security analysts, developers.
o Management: Decision-makers overseeing the system.
 Security Concerns: Insider threats, social engineering, lack of training,
accidental data loss.
 Protection Measures: Security awareness training, access controls, multi-
factor authentication, and monitoring user activities.

5. Procedures
 Definition: The policies, processes, and guidelines that dictate how the system
should operate and be maintained securely.
 Examples:
o Security Policies: Guidelines on data handling, password management.
o Incident Response Plans: Steps to take in case of a security breach.
o Standard Operating Procedures (SOPs): Instructions for system use
and maintenance.
 Security Concerns: Unauthorized modifications, lack of enforcement, outdated
procedures.
 Protection Measures: Regular audits, enforcement of policies, and user
compliance monitoring.

6. Networks
 Definition: The communication infrastructure that connects different system
components and allows data exchange.
 Types:
o Local Area Network (LAN): Connects devices within a small area (e.g.,
office network).
o Wide Area Network (WAN): Covers larger distances (e.g., the Internet).
o Cloud Networks: Remote data storage and computing services.
 Security Concerns: Unauthorized access, network attacks (e.g., Denial of
Service, MITM attacks), data interception.
 Protection Measures: Firewalls, Virtual Private Networks (VPNs), Intrusion
Prevention Systems (IPS), network segmentation.

Each component of an information system plays a vital role in ensuring its

functionality, efficiency, and security. The integration of hardware, software,
data, people, procedures, and networks allows organizations to manage and
protect their information effectively. Implementing robust security measures for
each component is essential to

Securing the Components of an Information System

To protect an Information System (IS) from threats such as cyberattacks,
unauthorized access, data breaches, and operational failures, each component of the
system must be secured effectively. Below is a breakdown of how to secure each
major component:

1. Securing Hardware
Threats: Physical theft, hardware failure, unauthorized access, environmental
hazards (fire, floods, power surges).
Security Measures:
 Physical Security: Secure servers and workstations in locked rooms with
access control mechanisms (badges, biometrics).
 Surveillance & Monitoring: Use CCTV, motion sensors, and alarms to prevent
unauthorized access.
 Redundancy & Failover: Implement redundant power supplies, RAID
configurations, and disaster recovery plans to prevent data loss.
 Regular Maintenance: Perform hardware diagnostics and ensure devices are
updated with the latest firmware.

2. Securing Software
Threats: Software vulnerabilities, malware, outdated applications, unauthorized
modifications.
Security Measures:
 Regular Patching & Updates: Keep all software updated with the latest
security patches.
 Application Hardening: Disable unnecessary services, enforce strong
authentication, and use secure coding practices.
 Antivirus & Endpoint Protection: Deploy security tools to detect and block
malware and other threats.
 Least Privilege Principle: Restrict access permissions for users and
applications to the minimum required level.

3. Securing Data
Threats: Unauthorized access, data breaches, corruption, loss due to disasters.
Security Measures:
 Encryption: Encrypt sensitive data both at rest (stored) and in transit (being
transmitted over networks).
 Data Backup: Implement regular backups with offsite or cloud-based storage
options.
 Access Control: Use Role-Based Access Control (RBAC) to limit who can read,
modify, or delete data.
 Data Integrity Checks: Use hashing techniques (SHA-256, MD5) and
checksums to verify data integrity.

4. Securing People (Users & Administrators)

Threats: Insider threats, social engineering, human errors, lack of security
awareness.
Security Measures:
  Security Awareness Training: Educate employees about phishing, password
policies, and secure practices.
 Multi-Factor Authentication (MFA): Impl}
ement MFA for critical systems to prevent unauthorized access.
 Monitoring & Auditing: Track user activities and flag suspicious behaviors.
 Strict Hiring Practices: Conduct background checks for employees in
sensitive roles.

5. Securing Procedures
Threats: Unauthorized access to procedural documents, lack of enforcement,
outdated security policies.
Security Measures:
 Access Restrictions: Store security procedures in a secure repository with
limited access.
 Security Audits: Conduct regular policy reviews and audits to ensure
compliance.
 Incident Response Plans: Develop and test response plans for different
security incidents.

6. Securing Networks
Threats: Unauthorized access, Distributed Denial of Service (DDoS) attacks,
eavesdropping, malware infections.
Security Measures:
 Firewalls & Intrusion Detection Systems (IDS): Monitor and filter incoming
and outgoing network traffic.
 Virtual Private Network (VPN): Encrypt data traffic for secure remote access.
 Network Segmentation: Separate networks into zones (e.g., public, internal,
restricted) to limit lateral movement in case of a breach.
 Access Controls: Implement network access controls (NAC) to verify device
and user security posture before granting access.
Balancing Security and Access
While securing an IS is crucial, over-restricting access can hinder productivity.
Organizations should find a balance between strong security measures and
convenient user access by:
 Implementing role-based access rather than blanket restrictions.
 Using single sign-on (SSO) to improve security without complicating logins.
 Monitoring user behavior analytics to flag unusual activities without
overburdening employees.
By implementing these security measures, organizations can protect each component
of their Information System from cyber threats, unauthorized access, and operational
disruptions.

Approaches to Information Security Implementation:

Bottom-Up Approach: In this approach, security implementation begins at the
technical level, initiated by system administrators or IT professionals.
Top-Down Approach: This approach starts with senior management defining
security policies, procedures, and goals. IT teams then implement these directives.

The Systems Development Lifecycle: (IALPIM)

The Systems Development Life Cycle (SDLC) is a structured methodology used for
designing, developing, and implementing information systems. It ensures that projects
are completed efficiently, securely, and within budget

Phases of SDLC
1. Investigation
o Defines the problem the system is intended to solve.
o Specifies project objectives, constraints, and scope.
o Conducts a preliminary cost-benefit analysis and feasibility study
(economic, technical, and behavioral feasibility).

2. Analysis
o Examines the organization’s current systems and capabilities.
o Identifies functional and security requirements.
o Conducts a detailed feasibility study to determine if the project should
proceed.

3. Logical Design
o Develops a blueprint for the system, independent of specific hardware or
software choices.
 o Identifies potential solutions and evaluates strengths, weaknesses, costs,
and benefits.
o Conducts another feasibility analysis before proceeding.

4. Physical Design
o Selects the actual hardware and software technologies for the system.
o Decides on in-house development or outsourcing.
o Presents the finalized design to management for approval.

5. Implementation
o Develops or acquires system components.
o Conducts testing, including unit tests, system integration tests, and user
acceptance tests.
o Provides training and documentation for users.
o Deploys the system and monitors performance.

6. Maintenance and Change

o Ensures the system continues to function effectively.
o Includes patch management, upgrades, and security compliance
reviews.
o Evaluates whether the system should be replaced or enhanced over time.

The Need for Security

Introduction
In today’s interconnected digital landscape, security is a cornerstone of business
resilience. Cyber threats are evolving rapidly, driven by technological advancements
and increasing reliance on digital infrastructure. Organizations must prioritize security
to safeguard assets, maintain trust, and ensure continuity. This article explores the
critical need for security through four lenses: business needs, threats, attacks, and
secure software development.

1. Business Needs: Why Security Matters

Businesses invest in security to address core operational and strategic imperatives:
 Asset Protection: Safeguarding sensitive data (e.g., customer information,
intellectual property) from theft or misuse.
 Regulatory Compliance: Adhering to laws like GDPR, HIPAA, and PCI-DSS to
avoid fines (e.g., Equifax’s $700 million penalty for a 2017 breach).
 Customer Trust: A single breach can erode reputation, as seen with the 2020
Twitter hack, which compromised high-profile accounts.
 Financial Stability: Cyberattacks cost businesses an average of $4.45 million
per incident (IBM, 2023). Proactive security mitigates these costs.
 Business Continuity: Ensuring operations withstand disruptions, such as
ransomware halting production lines.
Example: The 2021 Colonial Pipeline ransomware attack disrupted fuel supply,
highlighting the need for robust incident response plans.
2. Threats: The Invisible Risks
Threats are potential dangers that exploit vulnerabilities:
 Malware: Includes ransomware (e.g., WannaCry), spyware, and trojans.
 Phishing/Social Engineering: Deceptive tactics to extract credentials or
funds.
 Insider Threats: Employees misusing access, intentionally or accidentally.
 Advanced Persistent Threats (APTs): Long-term espionage campaigns, often
state-sponsored.
 Zero-Day Exploits: Attacks on unpatched vulnerabilities.
 Physical Threats: Theft of devices or unauthorized access to facilities.
Emerging Risks: Cloud adoption and IoT expand attack surfaces, requiring updated
security strategies.

3. Attacks: Threats in Action

Attacks are the execution of threats, targeting specific weaknesses:
 Ransomware: Encrypts data for extortion (e.g., 2023 MGM Resorts attack).
 SQL Injection: Exploits web app vulnerabilities to manipulate databases.
 DDoS Attacks: Overwhelm systems to disrupt services, as seen in the 2016
Dyn attack.
 Supply Chain Compromises: Third-party vulnerabilities, like the SolarWinds
breach (2020).
 Man-in-the-Middle (MitM): Intercepts unencrypted communications.
Trend: AI-driven attacks automate phishing and bypass traditional defenses,
demanding adaptive responses.

4. Secure Software Development: Building Resilience

Proactive integration of security into the Software Development Lifecycle (SDLC)
mitigates risks:
 Shift-Left Approach: Embed security early via threat modeling and secure
coding standards (e.g., OWASP Top 10).
 Automated Testing: Static (SAST) and dynamic (DAST) analysis tools identify
vulnerabilities pre-deployment.
 DevSecOps: Integrates security into CI/CD pipelines for continuous monitoring.
 Patch Management: Rapid response to vulnerabilities, such as Log4j’s critical
flaw (2021).
 Education: Training developers on secure practices to prevent common flaws
like buffer overflows.
Frameworks: ISO 27001 and NIST guidelines provide structured methodologies for
risk management.

Threat Attack
Threats can be intentional or The attack is intentional.
unintentional.
Threats may or may not be The attack is malicious.
malicious.
Circumstances that can cause
damage.
Information may or may not be
altered or damaged.
The threat is comparatively hard
to detect.
Can be blocked by control of
vulnerabilities.
Can be initiated by the system
itself as well as by outsiders.
Can be classified into Physical,
internal, external, human, and
non-physical threatsats.
The objective is to cause damage.
The chance for information alteration and
damage is very high.
Comparatively easy to detect.
Cannot be blocked by just controlling the
vulnerabilities.
An attack is always initiated by an outsider
(system or user).
These can be classified into Viruses,
Spyware, Phishing, Worms, Spam, Botnets, DoS
attacks, Ransomware, and Breaches.

Threats
1. Compromises to Intellectual Property – Unauthorized use or theft of
copyrighted or patented content.
2. Deliberate Software Attacks – Intentional malware, viruses, or hacking
attempts.
3. Deviations in Quality of Service – Disruptions in network or service
performance.
4. Espionage or Trespass – Unauthorized access to sensitive data or systems.
5. Forces of Nature – Natural disasters causing system failures or data loss.
6. Human Error or Failure – Accidental data deletion, misconfiguration, or
security lapses.
7. Information Extortion – Ransomware or threats demanding payment for data
access.
8. Inadequate Organizational Policy – Poor security planning or lack of clear
guidelines.
9. Inadequate Controls – Weak security measures that fail to prevent breaches.
10. Sabotage or Vandalism – Intentional destruction or disruption of
systems.
11. Theft – Unauthorized access or physical removal of data or hardware.
12. Technical Hardware Failures – Malfunctioning physical components
leading to data loss.
13. Technical Software Failures – Bugs or vulnerabilities in software
causing security risks.
14. Technological Obsolescence – Outdated systems with unsupported
security patches.
15. Virus: They have the ability to replicate themselves by hooking them to
the program on the host computer like songs, videos etc and then they travel all
over the Internet. The Creeper Virus was first detected on ARPANET. Examples
include File Virus, Macro Virus, Boot Sector Virus, Stealth Virus etc.
16. Worms: Worms are also self-replicating in nature but they don’t hook
themselves to the program on host computer. Biggest difference between virus
and worms is that worms are network-aware. They can easily travel from one
 computer to another if network is available and on the target machine they will
not do much harm, they will, for example, consume hard disk space thus
slowing down the computer.
17. Bots: Bots can be seen as advanced form of worms. They are automated
processes that are designed to interact over the internet without the need for
human interaction. They can be good or bad. Malicious bot can infect one host
and after infecting will create connection to the central server which will provide
commands to all infected hosts attached to that network called Botnet.
18. Adware: Adware is not exactly malicious but they do breach privacy of the
users. They display ads on a computer’s desktop or inside individual programs.
They come attached with free-to-use software, thus main source of revenue for
such developers. They monitor your interests and display relevant ads. An
attacker can embed malicious code inside the software and adware can monitor
your system activities and can even compromise your machine.
19. Spyware: It is a program or we can say software that monitors your
activities on computer and reveal collected information to an interested party.
Spyware are generally dropped by Trojans, viruses or worms. Once dropped they
install themselves and sits silently to avoid detection. One of the most common
example of spyware is KEYLOGGER. The basic job of keylogger is to record user
keystrokes with timestamp. Thus capturing interesting information like
username, passwords, credit card details etc.
20. Ransomware: Ransomware is type of malware that will either encrypt your
files or will lock your computer making it inaccessible either partially or wholly.
Then a screen will be displayed asking for money i.e. ransom in exchange.
21. Scareware: It masquerades as a tool to help fix your system but when the
software is executed it will infect your system or completely destroy it. The
software will display a message to frighten you and force to take some action
like pay them to fix your system.
22. Rootkits: Rootkits are designed to gain root access or we can say
administrative privileges in the user system. Once gained the root access, the
exploiter can do anything from stealing private files to private data.
23. Zombies – They work similar to Spyware. Infection mechanism is same but
they don’t spy and steal information rather they wait for the command from
hackers.

Attacks
1. Malicious Code – Viruses, worms, and malware harming systems.
2. Hoaxes – Fake security alerts tricking users into taking harmful actions.
3. Back Doors – Hidden access points in software allowing unauthorized entry.
4. Password Crack – Methods used to retrieve passwords illicitly.
5. Brute Force – Repeated login attempts to guess a password.
6. Dictionary Attack – Using a predefined list of words to guess passwords.
7. Denial-of-Service (DoS/DDoS) – Overloading a system to make it unavailable.
8. Spoofing – Faking identity to deceive systems or users.
9. Man-in-the-Middle – Intercepting communication between two parties.
10. Spam – Unsolicited bulk messages, often containing malware or phishing
links.
11. Mail Bombing – Overloading an email account with excessive messages.
12. Sniffers – Tools used to capture network traffic and sensitive data.
13. Social Engineering – Manipulating people to disclose confidential
information.
14. Pharming – Redirecting users to fraudulent websites to steal data.
15. Timing Attack – Exploiting system response times to extract information.