RAJALAKSHMI INSTITUTE OF TECHNOLOGY,

KUTHAMBAKKAM, CHENNAI - 600124

Department of Artificial Intelligence and Data Science

CW3551 DATA AND INFORMATION SECURITY

UNIT II SECURITY INVESTIGATION 9
Need for Security, Business Needs, Threats, Attacks, Legal, Ethical and Professional Issues - An
Overview of Computer Security - Access Control Matrix, Policy-Security policies, Confidentiality
policies, Integrity policies and Hybrid policies
INTRODUCTION- NEED FOR SECURITY
• Information security is unlike any other aspect of information technology. It is an arena
where the primary mission is to ensure things stay the way they are.
• If there were no threats to information and systems, we could focus on improving
systems that support the information, resulting in vast improvements in ease of use and
usefulness.
• The first phase, investigation, provides an overview of the environment in which
security must operate and the problems that security must address.
BUSINESS NEEDS FIRST, TECHNOLOGY NEEDS LAST
Information security performs four important functions for an organization:
1. Protects the organization’s ability to function
2. Enables the safe operation of applications implemented on the organization’s IT systems
3. Protects the data the organization collects and uses
4. Safeguards the technology assets in use at the organization
Protecting the Ability of the Organization to Function
• Both general management and IR management are responsible for implementing
information security to protect the ability of the organization to function.
• “Information security is a management issue in addition to a technical issue, it is a people
issue in addition to the technical issue.”
• To assist management in addressing the needs for information security, communities of
interest must communicate in terms of business impact and the cost of business
interruption and avoid arguments expressed only in technical terms.
Enabling the Safe Operation of Applications
• Today’s organizations are under immense pressure to create and operate integrated,
efficient, and capable applications.
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

• The modern organization needs to create an environment that safeguards applications

using the organization’s IT systems, particularly the environment of the organization’s
infrastructure.
• Once the infrastructure is in place, management must understand it has not abdicated to
the IT department its responsibility to make choices and enforce decisions, but must
continue to oversee the infrastructure.
Protecting Data that Organizations Collect and Use
• Many organizations realize that one of their most valuable assets is their data, because
without data, an organization loses its record of transactions and/or its ability to deliver
value to its customers.
• Protecting data in motion and data at rest are both critical aspects of information
security.
• An effective information security program is essential to the protection of the integrity
and value of the organization’s data.
Safeguarding Technology Assets in Organizations
• To perform effectively, organizations must add secure infrastructure services based on
the size and scope of the enterprise.
• When an organization grows and more capabilities are needed, additional security
services may have to be provided locally.
• Likewise, as the organization’s network grows to accommodate changing needs, more
robust technology solutions may be needed to replace security programs the
organization has outgrown.
Threats
THREATS TO INFORMATION SECURITY
• To make sound decisions about information security, create policies, and enforce them,
management must be informed of the various kinds of threats facing the organization,
its applications, data and information systems.
• A threat is an object, person, or other entity that represents a constant danger to an asset.
• To better understand the numerous threats facing the organization, a categorization
scheme has been developed allowing us to group threats by their respective activities.
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

• Overall security is improving according to surveys.

• The 2009 Computer Security Institute/Federal Bureau of Investigation (CSI/FBI) survey
on Computer Crime and Security Survey found:
o 64 percent of organizations had malware infections
o 14 percent indicated system penetration by an outsider

Threats to Information Security

 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

World Internet usage

Compromises to Intellectual Property
• Intellectual property (IP): “ownership of ideas and control over the tangible or virtual
representation of those ideas”
• The most common IP breaches involve software piracy
• Two watchdog organizations investigate software abuse:
– Software & Information Industry Association (SIIA)
– Business Software Alliance (BSA)
• Enforcement of copyright law has been attempted with technical security mechanisms
• Many organizations create or support the development of intellectual property as part
of their business operations.
• Intellectual property is defined as “the ownership of ideas and control over the tangible
or virtual representation of those ideas.”
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

• Intellectual property for an organization includes trade secrets, copyrights,

trademarks, and patents.
• Once intellectual property (IP) has been defined and properly identified, breaches to IP
constitute a threat to the security of this information.
• Most common IP breaches involve the unlawful use or duplication of software-based
intellectual property, known as software piracy.
• In addition to the laws surrounding software piracy, two watchdog organizations
investigate allegations of software abuse: Software & Information Industry Association
(SIIA), formerly the Software Publishers Association, and the Business Software
Alliance (BSA).
• Enforcement of copyright violations, piracy, and the like has been attempted through a
number of technical security mechanisms, including digital watermarks, embedded
codes.
Deliberate Software Attacks
• Malicious software (malware) designed to damage, destroy, or deny service to target
systems
• Includes:
• Viruses
• Worms
• Trojan horses
• Logic bombs
• Back door or trap door
• Polymorphic threats
• Virus and worm hoaxes
• Deliberate software attacks occur when an individual or group designs software to
attack an unsuspecting system. Most of this software is referred to as malicious code or
malicious software, or sometimes malware.
• These software components or programs are designed to damage, destroy, or deny
service to the target systems.
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

• Some of the more common instances of malicious code are viruses and worms, Trojan
horses, logic bombs, back doors, and denial-of-services attacks.
• Computer viruses are segments of code that perform malicious actions.
• This code behaves very much like a virus pathogen attacking animals and plants, using
the cell’s own replication machinery to propagate and attack.
• The code attaches itself to the existing program and takes control of that program’s
access to the targeted computer.
• The virus-controlled target program then carries out the virus’s plan by replicating
itself into additional targeted systems.
• The macro virus is embedded in the automatically executing macro code, common in
office productivity software like word processors, spread sheets, and database
applications.
• The boot virus infects the key operating systems files located in a computer’s boot
sector.
• Worms - Malicious programs that replicate themselves constantly without requiring
another program to provide a safe environment for replication. Worms can continue
replicating themselves until they completely fill available resources, such as memory,
hard drive space, and network bandwidth.
• Trojan horses - Software programs that hide their true nature and reveal their
designed behavior only when activated. Trojan horses are frequently disguised as
helpful, interesting, or necessary pieces of software, such as readme.exe files often
included with shareware or freeware packages.
• Back door or Trap door - A virus or worm can have a payload that installs a back door
or trap door component in a system. This allows the attacker to access the system at
will with special privileges.
• Polymorphism - A threat that changes its apparent shape over time, representing a new
threat not detectable by techniques that are looking for a preconfigured signature.
These threats actually evolve, changing their size and appearance to elude detection by
antivirus software programs, making detection more of a challenge.
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

• Virus and Worm Hoaxes - As frustrating as viruses and worms are, perhaps more time
and money is spent on resolving virus hoaxes. Well-meaning people spread the viruses
and worms when they send e-mails warning of fictitious or virus laden threats.

Trojan Horse Attack

Deviations in Quality of Service
Potential Deviations in Quality of Service by Service Providers
• Includes situations where products or services are not delivered as expected
• Information system depends on many interdependent support systems
• Internet service, communications, and power irregularities dramatically affect
availability of information and systems
• This category represents situations in which a product or services are not delivered to
the organization as expected.
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

• The organization’s information system depends on the successful operation of many

interdependent support systems including power grids, telecom networks, parts
suppliers, service vendors, and even the janitorial staff and garbage haulers.
• Internet service, communications, and power irregularities are three sets of service
issues that dramatically affect the availability of information and systems.
• Internet Service Issues
• For organizations that rely heavily on the Internet and the Web to support
continued operations, the threat of the potential loss of Internet service can lead
to considerable loss in the availability of information.
• Many organizations have sales staff and telecommuters working at remote
locations.
• When an organization places its Web servers in the care of a Web hosting
provider, that outsourcer assumes responsibility for all Internet services as well
as for the hardware and operating system software used to operate the Web
site.
• Communications and Other Service Provider Issues
• Other utility services can impact organizations as well.
• Among these are telephone, water, wastewater, trash pickup, cable television,
natural or propane gas, and custodial services.
• The threat of loss of these services can lead to the inability of an organization to
function properly.
• Power Irregularities
• Commonplace
• Organizations with inadequately conditioned power are susceptible
• Controls can be applied to manage power quality
• Fluctuations (short or prolonged)
• Excesses (spikes or surges) – voltage increase
• Shortages (sags or brownouts) – low voltage
• Losses (faults or blackouts) – loss of power
• The threat of irregularities from power utilities is common and can lead to
fluctuations such as power excesses, power shortages, and power losses.
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

• In the U.S., buildings are “fed” 120-volt, 60-cycle power usually through 15 and
20 amp circuits.
• Voltage levels can:
• spike – momentary increase or surge – prolonged increase
• sag – momentary low voltage, or brownout – prolonged drop
• fault – momentary loss of power, or blackout – prolonged loss
• Since sensitive electronic equipment, especially networking equipment,
computers, and computer-based systems are susceptible to fluctuations,
controls can be applied to manage power quality.
Espionage or Trespass
• Deliberate Acts of Espionage or Trespass
• Access of protected information by unauthorized individuals
• Competitive intelligence (legal) vs. industrial
espionage (illegal)
• Shoulder surfing can occur anywhere a person accesses confidential
information
• Controls let trespassers know they are encroaching on organization’s
cyberspace
• Hackers use skill, guile, or fraud to bypass controls protecting others’
information
• This threat represents a well-known and broad category of electronic and
human activities that breach the confidentiality of information.
• When an unauthorized individual gains access to the information an
organization is trying to protect, that act is categorized as a deliberate act of
espionage or trespass.
• When information gatherers employ techniques that cross the threshold of
what is legal and/or ethical, they enter the world of industrial espionage.
• Instances of shoulder surfing occur at computer terminals, desks, ATM
machines, public phones, or other places where a person is accessing
confidential information.
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

• The threat of trespass can lead to unauthorized real or virtual actions that
enable information gatherers to enter premises or systems they have not been
authorized to enter.
• Controls are sometimes implemented to mark the boundaries of an
organization’s virtual territory.
• These boundaries give notice to trespassers that they are encroaching on the
organization’s cyberspace.
• The classic perpetrator of deliberate acts of espionage or trespass is the hacker.
• In the gritty world of reality, a hacker uses skill, guile, or fraud to attempt to
bypass the controls placed around information that is the property of someone
else. The hacker frequently spends long hours examining the types and
structures of the targeted systems.

Shoulder Surfing
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

Hacker Profiles
There are generally two skill levels among hackers.
• Expert hacker
– Develops software scripts and program exploits
– Usually a master of many skills
– Will often create attack software and share with others
• Unskilled hacker
– Many more unskilled hackers than expert hackers
– Use expertly written software to exploit a system
– Do not usually fully understand the systems they hack
• The first is the expert hacker, who develops software scripts and codes exploits used by
the second category, the novice, or unskilled hacker.
• The expert hacker is usually a master of several programming languages, networking
protocols, and operating systems and also exhibits a mastery of the technical
environment of the chosen targeted system.
• However, expert hackers have now become bored with directly attacking systems and
have turned to writing software.
• The software they are writing are automated exploits that allow novice hackers to
become script kiddies, hackers of limited skill who use expert-written software to
exploit a system but do not fully understand or appreciate the systems they hack.
• As a result of preparation and continued vigilance, attacks conducted by scripts are
usually predictable and can be adequately defended against.
• There are other terms for system rule breakers:
• The term cracker is now commonly associated with an individual who “cracks” or
removes the software protection from an application designed to prevent unauthorized
duplication.
• A phreaker hacks the public telephone network to make free calls, disrupt services, and
generally wreak havoc.
Other terms for system rule breakers:
• Cracker: “cracks” or removes software protection designed to prevent unauthorized
duplication
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

• Phreaker: hacks the public telephone network

Forces of Nature
• Forces of nature, force majeure, or acts of God pose the most dangerous threats, because
they are unexpected and can occur with very little warning.
• These threats can disrupt not only the lives of individuals, but also the storage,
transmission, and use of information.
• These include fire, flood, earthquake, lightning, landslide or mudslide, tornado or severe
windstorm, hurricane or typhoon, tsunami, electrostatic discharge, and dust
contamination.
• Since it is not possible to avoid many of these threats, management must implement
controls to limit damage and also prepare contingency plans for continued operations.
Human Error or Failure
Potential Acts of Human Error or Failure
• Includes acts performed without malicious intent
• Causes include:
o Inexperience
o Improper training
o Incorrect assumptions
• Employees are among the greatest threats to an organization’s data
• This category includes the possibility of acts performed without intent or malicious
purpose by an individual who is an employee of an organization.
• Inexperience, improper training, the making of incorrect assumptions, and other
circumstances can cause problems.
• Employees constitute one of the greatest threats to information security, as the
individuals closest to the organizational data.
• Employee mistakes can easily lead to the following: revelation of classified data, entry
of erroneous data, accidental deletion or modification of data, storage of data in
unprotected areas, and failure to protect information.
• Many threats can be prevented with controls, ranging from simple procedures, such as
requiring the user to type a critical command twice, to more complex procedures, such
as the verification of commands by a second party.
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

• Employee mistakes can easily lead to:

o Revelation of classified data
o Entry of erroneous data
o Accidental data deletion or modification
o Data storage in unprotected areas
o Failure to protect information
• Many of these threats can be prevented with controls

Acts of Human Error or Failure

Information Extortion
Deliberate Acts of Information Extortion
• The threat of information extortion is the possibility of an attacker or formerly trusted
insider stealing information from a computer system and demanding compensation for
its return or for an agreement to not disclose the information.
• Extortion is common in credit card number theft.
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

Missing, Inadequate, or Incomplete

• In policy or planning, can make organizations vulnerable to loss, damage, or disclosure
of information assets
• With controls, can make an organization more likely to suffer losses when other threats
lead to attacks
• Missing, inadequate, or incomplete organizational policy or planning makes an
organization vulnerable to loss, damage, or disclosure of information assets when other
threats lead to attacks. Information security is, at its core, a management function.
• Missing, inadequate, or incomplete controls—that is, security safeguards and
information asset protection controls that are missing, misconfigured, antiquated, or
poorly designed or managed—make an organization more likely to suffer losses when
other threats lead to attacks.
Sabotage or Vandalism
• Threats can range from petty vandalism to organized sabotage
• Web site defacing can erode consumer confidence, dropping sales and organization’s
net worth
• Threat of hacktivist or cyberactivist operations rising
• Cyberterrorism: much more sinister form of hacking
• Deliberate Acts of Sabotage or Vandalism
• Equally popular today is the assault on the electronic face of an organization, its
Web site.
• This category of threat involves the deliberate sabotage of a computer system or
business, or acts of vandalism to either destroy an asset or damage the image of
an organization.
• These threats can range from petty vandalism by employees to organized
sabotage against an organization.
• Organizations frequently rely on image to support the generation of revenue, so
if an organization’s Web site is defaced, a drop in consumer confidence is
probable, reducing the organization’s sales and net worth.
• Compared to Web site defacement, vandalism within a network is more
malicious in intent and less public.
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

• Today, security experts are noticing a rise in another form of online vandalism
in what are described as hacktivist or cyberactivist operations. A more extreme
version is referred to as cyberterrorism.

Figure 2-9 Cyber Activists Wanted

Theft
• Illegal taking of another’s physical, electronic, or intellectual property
• Physical theft is controlled relatively easily
• Electronic theft is more complex problem; evidence of crime not readily apparent
• Deliberate Acts of Theft
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

• Theft is the illegal taking of another’s property. Within an organization, that

property can be physical, electronic, or intellectual.
• The value of information suffers when it is copied and taken away without the
owner’s knowledge.
• Physical theft can be controlled quite easily. A wide variety of measures can be
used from simple locked doors to trained security personnel and the installation
of alarm systems.
• Electronic theft, however, is a more complex problem to manage and control.
Organizations may not even know it has occurred.
Technical Hardware Failures or Errors
• Occur when manufacturer distributes equipment containing flaws to users
• Can cause system to perform outside of expected parameters, resulting in unreliable or
poor service
• Some errors are terminal; some are intermittent
• Technical hardware failures or errors occur when a manufacturer distributes to users
equipment containing a known or unknown flaw.
• These defects can cause the system to perform outside of expected parameters,
resulting in unreliable service or lack of availability.
• Some errors are terminal, in that they result in the unrecoverable loss of the
equipment. Some errors are intermittent, in that they only periodically manifest
themselves, resulting in faults that are not easily repeated
• Purchased software that contains unrevealed faults
• Combinations of certain software and hardware can reveal new software bugs
• Entire Web sites dedicated to documenting bugs
• This category of threats comes from purchasing software with unknown, hidden faults.
• Large quantities of computer code are written, debugged, published, and sold only to
determine that not all bugs were resolved.
• Sometimes, unique combinations of certain software and hardware reveal new bugs.
• Sometimes, these items aren’t errors but are purposeful shortcuts left by programmers
for honest or dishonest reasons.
Technological Obsolescence
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

• Antiquated/outdated infrastructure can lead to unreliable, untrustworthy systems

• Proper managerial planning should prevent technology obsolescence
• IT plays large role
• When the infrastructure becomes antiquated or outdated, it leads to unreliable and
untrustworthy systems.
• Management must recognize that when technology becomes outdated, there is a risk of
loss of data integrity to threats and attacks.
• Ideally, proper planning by management should prevent the risks from technology
obsolesce, but when obsolescence is identified, management must take immediate
action.
Attacks
Attacks
• An attack is the deliberate act that exploits vulnerability.
• It is accomplished by a threat agent to damage or steal an organization’s
information or physical asset.
• An exploit is a technique to compromise a system. Vulnerability is an identified
weakness of a controlled system whose controls are not present or are no longer
effective. An attack is then the use of an exploit to achieve the compromise of a
controlled system.
Malicious Code
• This kind of attack includes the execution of viruses, worms, Trojan horses, and
active Web scripts with the intent to destroy or steal information.
• The state of the art in attacking systems in 2002 is the multivector worm.

These attack programs use up to six known attack vectors to exploit a variety of
vulnerabilities in commonly found information system devices.
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

Table 2-2 Attack Replication Vectors

Types of attacks
– Back door: gaining access to system or network using known or previously
unknown/newly discovered access mechanism
– Password crack: attempting to reverse calculate a password
– Brute force: trying every possible combination of options of a password
– Dictionary: selects specific accounts to attack and uses commonly used
passwords (i.e., the dictionary) to guide guesses
– Denial-of-service (DoS): attacker sends large number of connection or
information requests to a target
– Target system cannot handle successfully along with other, legitimate service
requests
– May result in system crash or inability to perform ordinary functions
– Distributed denial-of-service (DDoS): coordinated stream of requests is
launched against target from many locations simultaneously
– Spoofing: technique used to gain unauthorized access; intruder assumes a
trusted IP address
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

– Man-in-the-middle: attacker monitors network packets, modifies them, and

inserts them back into network
– Spam: unsolicited commercial e-mail; more a nuisance than an attack, though is
emerging as a vector for some attacks
– Mail bombing: also a DoS; attacker routes large quantities of e-mail to target
– Sniffers: program or device that monitors data traveling over network; can be
used both for legitimate purposes and for stealing information from a network
– Phishing: an attempt to gain personal/financial information from individual,
usually by posing as legitimate entity
– Pharming: redirection of legitimate Web traffic (e.g., browser requests) to
illegitimate site for the purpose of obtaining private information
– Social engineering: using social skills to convince people to reveal access
credentials or other valuable information to attacker
– “People are the weakest link. You can have the best technology; firewalls,
intrusion-detection systems, biometric devices ... and somebody can call an
unsuspecting employee. That's all she wrote, baby. They got everything.” —
Kevin Mitnick
– Timing attack: relatively new; works by exploring contents of a Web browser’s
cache to create malicious cookie
Attack Descriptions
Back Doors - Using a known or previously unknown and newly discovered access
mechanism, an attacker can gain access to a system or network resource.
Password Crack - Attempting to reverse calculate a password.
Brute Force - The application of computing and network resources to try every possible
combination of options of a password.
Dictionary - The dictionary password attack narrows the field by selecting specific
accounts to attack and uses a list of commonly used passwords (the dictionary) to guess
with.
Denial-of-Service (DoS) - The attacker sends a large number of connection or information
requests to a target. So many requests are made that the target system cannot handle them
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

successfully along with other, legitimate requests for service. This may result in a system
crash or merely an inability to perform ordinary functions.

Figure 2-11 Denial-of-Service Attacks

Distributed Denial-of-Service (DDoS) - An attack in which a coordinated stream of
requests is launched against a target from many locations at the same time.
Spoofing - A technique used to gain unauthorized access to computers, whereby the
intruder sends messages to a computer with an IP address indicating that the message is
coming from a trusted host.
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

Figure 2-12 IP Spoofing

Man-in-the-Middle - In the man-in-the-middle or TCP hijacking attack, an attacker sniffs
packets from the network, modifies them, and inserts them back into the network.

Figure 2-13 Man-in-the-Middle Attack

 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

Spam - Unsolicited commercial e-mail. While many consider spam a nuisance rather than
an attack, it is emerging as a vector for some attacks.
Mail Bombing - Another form of e-mail attack that is also a DoS, in which an attacker
routes large quantities of e-mail to the target.
Sniffers - A program and/or device that can monitor data travelling over a network.
Sniffers can be used both for legitimate network management functions and for stealing
information from a network.
Phishing - An attempt to gain personal or financial information from an individual, usually
by posing as a legitimate entity.
Pharming – “The redirection of legitimate Web traffic (e.g., browser requests) to an
illegitimate site for the purpose of obtaining private information.
Social Engineering - Within the context of information security, the process of using
social skills to convince people to reveal access credentials or other valuable information
to the attacker.
“People are the weakest link. You can have the best technology; firewalls, intrusion-
detection systems, biometric devices...and somebody can call an unsuspecting employee.
That's all she wrote, baby. They got everything.”
Timing Attack - Relatively new, works by exploring the contents of a Web browser’s
cache. This could allow the designer to collect information to access to password-protected
sites. Another attack by the same name involves attempting to intercept cryptographic
elements to determine keys and encryption algorithms.
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

Figure 2-14 Example of a Nigerian 4-1-9 Fraud

Secure Software Development
• Many information security issues discussed here are caused by software elements of
system
• Development of software and systems is often accomplished using methodology such
as Systems Development Life Cycle (SDLC)
• Many organizations recognize need for security objectives in SDLC and have included
procedures to create more secure software
• This software development approach known as Software Assurance (SA)
Software Assurance and the SA Common Body of Knowledge
• National effort underway to create common body of knowledge focused on secure
software development
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

• US Department of Defense and Department of Homeland Security supported Software

Assurance Initiative, which resulted in publication of Secure Software Assurance (SwA)
Common Body of Knowledge (CBK)
• SwA CBK serves as a strongly recommended guide to developing more secure
applications
Software Design Principles
• Good software development results in secure products that meet all design
specifications
• Some commonplace security principles:
– Keep design simple and small
– Access decisions by permission not exclusion
– Every access to every object checked for authority
– Design depends on possession of keys/passwords
– Protection mechanisms require two keys to unlock
– Programs/users utilize only necessary privileges
– Minimize mechanisms common to multiple users
– Human interface must be easy to use so users routinely/automatically use
protection mechanisms
Software Development Security Problems
• Problem areas in software development:
– Buffer overruns
– Command injection
– Cross-site scripting
– Failure to handle errors
– Failure to protect network traffic
– Failure to store and protect data securely
– Failure to use cryptographically strong random numbers
– Format string problems
– Neglecting change control
– Improper file access
– Improper use of SSL
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

– Information leakage
– Integer bugs (overflows/underflows)
– Race conditions
– SQL injection
– Trusting network address resolution
– Unauthenticated key exchange
– Use of magic URLs and hidden forms
– Use of weak password-based systems
– Poor usability
Summary
• Unlike any other aspect of IT, information security’s primary mission to ensure things
stay the way they are
• Information security performs four important functions:
– Protects organization’s ability to function
– Enables safe operation of applications implemented on organization’s IT
systems
– Protects data the organization collects and uses
– Safeguards the technology assets in use at the organization
• Threat: object, person, or other entity representing a constant danger to an asset
• Management effectively protects its information through policy, education, training,
and technology controls
• Attack: a deliberate act that exploits vulnerability
• Secure systems require secure software
Law and Ethics in Information Security
• Laws: rules that mandate or prohibit certain societal behavior
• Ethics: define socially acceptable behavior
• Cultural mores: fixed moral attitudes or customs of a particular group; ethics based on
these
• Laws carry sanctions of a governing authority; ethics do not
• As individuals we elect to trade some aspects of personal freedom for social order.
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

• Laws are rules adopted for determining expected behavior in modern society and are
drawn from ethics, which define socially acceptable behaviors.
• Ethics in turn are based on cultural mores: fixed moral attitudes or customs of a
particular group.
• Some ethics are recognized as universal among cultures.
Organizational Liability and the Need for Counsel
• Liability: legal obligation of an entity extending beyond criminal or contract law;
includes legal obligation to make restitution
• Restitution: to compensate for wrongs committed by an organization or its employees
• Due care: insuring that employees know what constitutes acceptable behavior and
know the consequences of illegal or unethical actions
• Due diligence: making a valid effort to protect others; continually maintaining level of
effort
• Jurisdiction: court's right to hear a case if the wrong was committed in its territory or
involved its citizenry
• Long arm jurisdiction: right of any court to impose its authority over an individual or
organization if it can establish jurisdiction
Policy versus Law
• Policies: body of expectations that describe acceptable and unacceptable employee
behaviours in the workplace
• Policies function as laws within an organization; must be crafted carefully to ensure
they are complete, appropriate, fairly applied to everyone
• Difference between policy and law: ignorance of a policy is an acceptable defence
• Criteria for policy enforcement:
• Dissemination (distribution)
• Review (reading)
• Comprehension (understanding)
• Compliance (agreement)
• Uniform enforcement
Types of Law
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

• Civil law represents a wide variety of laws that are recorded in volumes of legal “code”
available for review by the average citizen.
• Criminal law addresses violations harmful to society and is actively enforced through
prosecution by the state.
• Tort law allows individuals to seek recourse against others in the event of personal,
physical, or financial injury.
• Private law regulates the relationship between the individual and the organization,
and encompasses family law, commercial law, and labor law.
• Public law regulates the structure and administration of government agencies and
their relationships with citizens, employees, and other governments, providing careful
checks and balances. Examples of public law include criminal, administrative, and
constitutional law.
Relevant U.S. Laws
• United States has been a leader in the development and implementation of information
security legislation
• Implementation of information security legislation contributes to a more reliable
business environment and a stable economy
• U.S. has demonstrated understanding of problems facing the information security field;
has specified penalties for individuals and organizations failing to follow requirements
set forth in U.S. civil statutes
General Computer Crime Laws
• Computer Fraud and Abuse Act of 1986 (CFA Act): cornerstone of many computer-
related federal laws and enforcement efforts
• National Information Infrastructure Protection Act of 1996:
o Modified several sections of the previous act and increased the penalties for
selected crimes
o Severity of penalties judged on the purpose
▪ For purposes of commercial advantage
▪ For private financial gain
▪ In furtherance of a criminal act
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

• USA PATRIOT Act of 2001: provides law enforcement agencies with broader latitude in
order to combat terrorism-related activities
• USA PATRIOT Improvement and Reauthorization Act: made permanent fourteen of the
sixteen expanded powers of the Department of Homeland Security and the FBI in
investigating terrorist activity
• Computer Security Act of 1987: one of the first attempts to protect federal computer
systems by establishing minimum acceptable security practices
• It was amended in October 1996 with the National Information Infrastructure
Protection Act of 1996, which modified several sections of the CFA and increased the
penalties for selected crimes.
• The USA Patriot Act of 2001 modified a wide range of existing laws to provide law
enforcement agencies with a broader latitude of actions to combat terrorism-related
activities.
• The Communication Act of 1934 was revised by the Telecommunications Deregulation
and Competition Act of 1996, which attempts to modernize the archaic terminology of
the older act.
• These much-needed updates of terminology were included as part of the
Communications Decency Act (CDA).
• The CDA was immediately ensnared in a thorny legal debate over the attempt to define
indecency, and ultimately rejected by the Supreme Court.
• Another key law that is of critical importance for the information security profession is
the Computer Security Act of 1987.
• It was one of the first attempts to protect federal computer systems by establishing
minimum acceptable security practices.
• The National Bureau of Standards, in cooperation with the National Security Agency,
became responsible for developing these security standards and guidelines.
Privacy
• One of the hottest topics in information security
• Is a “state of being free from unsanctioned intrusion”
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

• Ability to aggregate data from multiple sources allows creation of information

databases previously impossible
• The number of statutes addressing an individual’s right to privacy has grown
• US Regulations
• Privacy of Customer Information Section of the common carrier regulation
• Federal Privacy Act of 1974
• Electronic Communications Privacy Act of 1986
• Health Insurance Portability and Accountability Act of 1996 (HIPAA), aka
Kennedy-Kassebaum Act
• Financial Services Modernization Act, or Gramm-Leach-Bliley Act of 1999
• Identity Theft
• Federal Trade Commission: “occurring when someone uses your personally
identifying information, like your name, Social Security number, or credit card
number, without your permission, to commit fraud or other crimes”
• Fraud And Related Activity In Connection With Identification Documents,
Authentication Features, And Information (Title 18, U.S.C. § 1028)
• If someone suspects identity theft
• Report to the three dominant consumer reporting companies that your identity
is threatened
• Account
• Close compromised account
• Dispute accounts opened without permission
• Register your concern with the FTC
• Report the incident to either your local police or police in the location where the
identity theft occurred
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• Protects the confidentiality and security of health care data by establishing and
enforcing standards and by standardizing electronic data interchange
• Consumer control of medical information
• Boundaries on the use of medical information
• Accountability for the privacy of private information
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

• Balance of public responsibility for the use of medical information for the greater good
measured against impact to the individual
• Security of health information
Export and Espionage Laws
• Economic Espionage Act of 1996 (EEA)
• Security And Freedom Through Encryption Act of 1999 (SAFE)
• The acts include provisions about encryption that:
– Reinforce the right to use or sell encryption algorithms, without concern of key
registration
– Prohibit the federal government from requiring it
– Make it not probable cause in criminal activity
– Relax export restrictions
– Additional penalties for using it in a crime

Export and Espionage

U.S. Copyright Law
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

• Intellectual property recognized as protected asset in the U.S.; copyright law extends to
electronic formats
• With proper acknowledgment, permissible to include portions of others’ work as
reference
• U.S. Copyright Office Web site: www.copyright.gov
• Intellectual property is recognized as a protected asset in the U.S. U.S. copyright law
extends this right to the published word, including electronic formats.

• Fair use of copyrighted materials includes the use to support news reporting, teaching,
scholarship, and a number of other related permissions, so long as the purpose of the
use is for educational or library purposes, not for profit, and is not excessive.

Financial Reporting
• Sarbanes-Oxley Act of 2002
• Affects executive management of publicly traded corporations and public accounting
firms
• Seeks to improve reliability and accuracy of financial reporting and increase the
accountability of corporate governance
• Penalties for noncompliance range from fines to jail terms
• Reliability assurance will require additional emphasis on confidentiality and integrity
Freedom of Information Act of 1966 (FOIA)
• Allows access to federal agency records or information not determined to be matter of
national security
• U.S. government agencies required to disclose any requested information upon receipt
of written request
• Some information protected from disclosure
State and Local Regulations
• Restrictions on organizational computer technology use exist at international, national,
state, local levels
• Information security professional responsible for understanding state regulations and
ensuring organization is compliant with regulations
International Laws and Legal Bodies
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

• When organizations do business on the Internet, they do business globally

• Professionals must be sensitive to laws and ethical values of many different cultures,
societies, and countries
• Because of political complexities of relationships among nations and differences in
culture, there are few international laws relating to privacy and information security
• These international laws are important but are limited in their enforceability
European Council Cyber-Crime Convention
• Establishes international task force overseeing Internet security functions for
standardized international technology laws
• Attempts to improve effectiveness of international investigations into breaches of
technology law
• Well received by intellectual property rights advocates due to emphasis on copyright
infringement prosecution
• Lacks realistic provisions for enforcement
Agreement on Trade-Related Aspects of Intellectual Property Rights
• Created by World Trade Organization (WTO)
• First significant international effort to protect intellectual property rights
• Outlines requirements for governmental oversight and legislation providing minimum
levels of protection for intellectual property
• Agreement covers five issues:
• Application of basic principles of trading system and international intellectual
property agreements
• Giving adequate protection to intellectual property rights
• Enforcement of those rights by countries in their own territories
• Settling intellectual property disputes
• Transitional arrangements while new system is being introduced
Digital Millennium Copyright Act (DMCA)
• U.S. contribution to international effort to reduce impact of copyright, trademark, and
privacy infringement
• A response to European Union Directive 95/46/EC,
• Prohibits
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

– Circumvention of protections and countermeasures

– Manufacture and trafficking of devices used to circumvent such protections
– Prohibits altering information attached or imbedded in copyrighted material
• Excludes ISPs from some copyright infringement
Ethics and Information Security
• Many Professional groups have explicit rules governing ethical behavior in the
workplace
• IT and IT security do not have binding codes of ethics
• Professional associations and certification agencies work to establish codes of ethics
– Can prescribe ethical conduct
– Do not always have the ability to ban violators from practice in field

Ethical Differences Across Cultures

• Cultural differences create difficulty in determining what is and is not ethical
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

• Difficulties arise when one nationality’s ethical behavior conflicts with ethics of another
national group
• Scenarios are grouped into:
– Software License Infringement
– Illicit Use
– Misuse of Corporate Resources
• Cultures have different views on the scenarios
Ethics and Education
• Overriding factor in levelling ethical perceptions within a small population is education
• Employees must be trained in expected behaviors of an ethical employee, especially in
areas of information security
• Proper ethical training is vital to creating informed, well prepared, and low-risk system
user
Deterring Unethical and Illegal Behavior
• Three general causes of unethical and illegal behavior: ignorance, accident, intent
• Deterrence: best method for preventing an illegal or unethical activity; e.g., laws, policies,
technical controls
• Laws and policies only deter if three conditions are present:
– Fear of penalty
– Probability of being caught
– Probability of penalty being administered
Codes of Ethics and Professional Organizations
• Several professional organizations have established codes of conduct/ethics
• Codes of ethics can have positive effect; unfortunately, many employers do not
encourage joining these professional organizations
• Responsibility of security professionals to act ethically and according to policies of
employer, professional organization, and laws of society

LANNING FOR SECURITY

 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

• Creation of information security program begins with creation and/or review of

organization’s information security policies, standards, and practices
• Then, selection or creation of information security architecture and the development
and use of a detailed information security blueprint creates plan for future success
• Security education and training to successfully implement policies and ensure secure
environment
Why Policy?
• A quality information security program begins and ends with policy
• Policies are least expensive means of control and often the most difficult to implement
• Some basic rules must be followed when shaping a policy:
– Never conflict with law
– Stand up in court
– Properly supported and administered
– Contribute to the success of the organization
– Involve end users of information systems

Definitions
• Policy: course of action used by an organization to convey instructions from management to
those who perform duties
– Organizational rules for acceptable/unacceptable behavior
– Penalties for violations
– Appeals process
• Standards: more detailed statements of what must be done to comply with policy
• Practices, procedures and guidelines effectively explain how to comply with policy
For a policy to be effective it must be
– Properly disseminated
– Read
– Understood
– Agreed to by all members of organization
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

Types of Policies
1. Enterprise information Security program Policy(EISP)
2. Issue-specific information Security Policy ( ISSP)
3. Systems-specific information Security Policy (SysSP)
1. Enterprise Information Security Policy (EISP)
• Also Known as a general Security policy, IT security policy, or information security
policy.
• Sets strategic direction, scope, and tone for all security efforts within the organization
• Assigns responsibilities to various areas of information security
• Guides development, implementation, and management of information security
program

2.Issue-Specific Security Policy (ISSP)

• The ISSP:
– Addresses specific areas of technology
– Requires frequent updates
– Contains statement on position on specific issue
• Approaches to creating and managing ISSPs:
– Create number of independent ISSP documents
– Create a single comprehensive ISSP document
– Create a modular ISSP document
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

• ISSP topics could include:

– E-mail, use of Web, configurations of computers to defend against worms
and viruses, prohibitions against hacking or testing organisation security
controls, home use of company-owned computer equipment, use of personal
equipment on company networks, use of telecommunications technologies(FAX
and phone), use of photocopiers
Components of the ISSP
• Statement of Policy
– Scope and Applicability
– Definition of Technology Addressed
– Responsibilities
• Authorized Access and Usage of Equipment
– User Access
– Fair and Responsible Use
– Protection of Privacy
• Prohibited Usage of Equipment
– Disruptive Use or Misuse
– Criminal Use
– Offensive or Harassing Materials
– Copyrighted, Licensed or other Intellectual Property
– Other Restrictions
• Systems Management
– Management of Stored Materials
– Employer Monitoring
– Virus Protection
– Physical Security
– Encryption
• Violations of Policy
– Procedures for Reporting Violations
 RAJALAKSHMI INSTITUTE OF TECHNOLOGY,
KUTHAMBAKKAM, CHENNAI - 600124
Department of Artificial Intelligence and Data Science

– Penalties for Violations

• Policy Review and Modification
– Scheduled Review of Policy and Procedures for Modification
• Limitations of Liability
– Statements of Liability or Disclaimers
3.Systems-Specific Policy (SysSP)
• SysSPs are frequently codified as standards and procedures to be used when
configuring or maintaining systems
• Systems-specific policies fall into two groups:
• Access control lists (ACLs) consist of the access control lists, matrices, and
capability tables governing the rights and privileges of a particular user to a particular
system
• Configuration rules comprise the specific configuration codes entered into
security systems to guide the execution of the system
ACL Policies
• Both Microsoft Windows NT/2000 and Novell Netware 5.x/6.x families of systems
translate ACLs into sets of configurations that administrators use to control access to
their respective systems
• ACLs allow a configuration to restrict access from anyone and anywhere
• ACLs regulate:
– Who can use the system
– What authorized users can access
– When authorized users can access the system
– Where authorized users can access the system from
– How authorized users can access the system