IT

308
INFORMATION
ASSURANCE AND
SECURITY
Antonio, Lilibeth
Mangahas, Teresita S.

Pagsibigan, Arvin.

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY

 NEED FOR
LESSON SECURITY
Unlike any other information technology program, the primary

02
mission of an information security program is to ensure that systems
.
and their contents remain the same. Organizations expend hundreds
of thousands of dollars and thousands of man-hours to maintain their
information systems. If threats to information and systems didn’t exist,
these resources could be used to improve the systems that support
the information. However, attacks on information systems are a daily
occurrence, and the need for information security grows along with
the sophistication of such attacks. Organizations must understand the
environment in which information systems operate so that their
information security programs can address actual and potential
problems. This chapter describes this environment and identifies the
threats it poses to organizations and their information.
 01
Explain why organizations have a business need for information
security

Learning
Identify the threats posed to information security and the more common

02
attacks associated with those threats, and differentiate threats to the
information within systems from attacks against the information within
systems

objectives 03
Describe the issues facing software developers, as well as the most
common errors made by developers, and explain how software
development programs can create software that is more secure and reliable

04
Describe the functions of and relationships among laws, regulations, and
professional organizations in information security

05
Identify major national laws that affect the practice of information
security

DURATION: 3hrs
 ACTIVITY
Information Where you found it

PRIVACY ACTIVITY

Do you know how much data about yourself is freely online? If    

someone were to research you, what would they be able to
find? What could they know about you from a simple search?
Put on your detective hat and go digging for the data you can
find about yourself.
     
Begin by typing in your name. Then, try your name + your
school or the name of your city. Even try your name + a sport
you play! You can look at search engines, your school website,
social networks, or any other frequently used website! You can
even include posts from social media sites if you can find them.    

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 ANALYSIS
What could someone who is researching you find out about your personality/life?

What does this tell us about our presence online with the things we post and
information we make public?

How could this information be used in a hacking situation?

What information poses the biggest threat to your privacy/security?

 
With information online, we can piece together your hobbies, your favorites, and
even about your personal life. This means that as we become digital natives, the
more information there is about us online. How can we avoid this? Do not give
away too much information about yourself online. There is no way to hide from the
information online, but we can limit it to a certain extent. Also, make sure your
accounts are private and that you have a positive footprint online.

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Information security’s primary mission is
to ensure that systems and their
contents remain the same!

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Business Needs First

Information Security Important Functions

1. Protect the organization’s ability to function
2. Enable the safe operation of applications
3. Protect the data
4. Safeguard technology assets

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 THREATS
In the context of information security, a threat is an object, person, or
other entity that presents an ongoing danger to an asset.

To protect organization’s information

1. Know the information to be protected and the systems that store, transport
and process
2. Know the threats you face
Computer Security Institute(CSI)
2009 - 64% of organizations responding malware infections
14% system penetration by outsider
Loss = $234K per respondent
Downward trend
Security is improving
Companies declining outsourcing security
Climb 59% to 71%
i.e. It is staying in house

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 “Computer systems are not
vulnerable to attack. We are
vulnerable to attack through
our computer systems.”

Robert Seacord

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Threats to Information Security
Categories of Threat Examples

Compromises to intellectual Piracy, copyright infringement

property
Software attacks Viruses, worms, macros, DoS

Deviations in quality of service ISP, power, WAN service issues

from service providers
Espionage or trespass Unauthorized access and/or data
collection
Forces of nature Fire, flood, earthquake, lightning

Acts of human error or failure Accidents, employee mistakes

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Threats to Information Security
Categories of Threat Examples
Information extortion Blackmail or information disclosure
Deliberate acts of theft Illegal confiscation of equipment or
information
Missing, inadequate, or Loss of access to information
incomplete systems due to disk drive failure,
without proper backup and
recovery plan
Missing, inadequate, or Network compromised because no
incomplete controls firewall security controls
Sabotage or vandalism Destruction of systems or
information

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Threats to Information Security

Categories of Threat Examples

Theft Illegal confiscation of

equipment or information
Technical hardware failures or Equipment failure
errors
Technical software failures or Bugs, code problems,
errors unknown loopholes
Technological obsolescence Antiquated or outdated
technologies

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Intellectual Property
• Includes
• Trade secrets-formula, practices,designs, instruments
• Copyrights- ex. song, movie, software
• Trademarks-
• Patents-
• Breaches constitute a threat
• 2 watch dog agencies
• Software and Information Industry Association
• Business Software Alliance
• Most common breach
• Software piracy
• 1/3 of all software in use is pirated

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Deliberate Software Attacks
• Malicious code
• Malicious software
• Malware
• First business hacked out of existence
• Denial-of-service attack
• Cloudnine
• British Internet service provider

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Virus

• Segments of code
• Attaches itself to existing program
• Takes control of program access
• Replication

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Worms

• Malicious program
• Replicates constantly
• Doesn’t require another program
• Can be initiated with or without the user
download

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Other Malware
• Trojan Horse
• Hide their true nature
• Reveal the designed behavior only when activated
• Back door or trap door
• Allows access to system at will with special privileges
• Polymorphism
• Changes it apparent shape over time
• Makes it undetectable by techniques that look for
preconfigured signatures
• Hoaxes

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Espionage or Trespass

• Intelligence Gathering-practice of spying

• Legal – competitive intelligence
• Illegal – industrial espionage
• Thin line
• One technique – shoulder surfing
• Trespass-to enter without permission
• Protect with
• Authentication
• Authorization

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Hackers

• 2 levels
• Experts
• Develop software scripts
• Develop program exploits
• Novice
• Script kiddie
• Use previously written software
• Packet monkeys
• Use automated exploits

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 System Rule Breakers

• Crackers
• Individuals who crack or remove software
protection designed to prevent unauthorized
duplication
• Phreakers- specialize in attacks on
telephone system
• Use public networks to make free phone
calls

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Forces of Nature

• Pose some of most dangerous threats

• Unexpected and occur with little or no warning

• Fire • Flood
• Tornado • Earthquake
• Tsunami • Lightning
• Electrostatic discharge • Landslide
• Dust contamination • Mudslide
• Hurricane/typhoon

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Acts of Human Error or Failure

• Acts performed without intent or malicious

purpose by and authorized user
• Greatest threat to org info security
• Organization’s own employees
• Closest to the data
• Mistakes
• Revelation of classified data
• Entry of erroneous data
• Accidental deletion or modification of data
• Storage of data in unprotected areas
• Failure to protect information

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Acts of Human Error or Failure

• Prevention
• Training
• Ongoing awareness activities
• Controls
• Require user to type a critical command twice
• Verification of commands

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Deliberate Acts
• Information Extortion
• Attacker or trusted insider steals information
• Demands compensation
• Agree not to disclose information

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Missing, Inadequate or Incomplete Controls
• Security safeguards and information asset
protection controls are
• Missing
• Misconfigured
• Antiquated
• Poorly designed or managed
• Make org more likely to suffer loss

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Sabotage or Vandalism
• Deliberate sabotage of a computer system
or business
• Acts to destroy an asset
• Damage to an image of an organization
• Hackterist or cyber activist
• Interfere with or disrupt systems
• Protest the operations, policies, or actions
• Cyber terrorism
• Theft

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Theft
• Illegal taking of another’s property
• Physical
• Electronic
• Intellectual
• Constant
• Problem – crime not always readily
apparent- not always obvious

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Technical Hardware Failures or Errors
• Best known
• Intel Pentium II chip
• First ever chip recall
• Loss of over $475 million
• Technology obsolescence/ obsolete
• Can lead to unreliable and untrustworthy
systems
• occurs when a new product has been created to
replace an older version.

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Technical Software Failures or Errors

• Large quantities of code written,

published, and sold with bugs
• Bugs undetected and unresolved
• Combinations of software can cause issues
• Weekly patches

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Technology Obsolescence
• Outdated hardware or software
• Reliability problems
• Management problem
• Should have plan in place
• Non-support of legacy systems
• Can be costly to resolve

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Attacks
Vector Description
IP scan and attack Infected system scans IP addresses and targets
vulnerabilities
Web browsing Infects web content files infectious
Virus Infect other machines
Unprotected shares Infects any device that is unprotected
Mass mail e-mailing to all addresses in an address book
Simple Network Use common password employed in early
Management versions of the protocol the attacking
Protocol program can gain control of device
(SNMP)

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 METHODS OF ATTACKS
Hoaxes-
A more devious attack on computer systems is the
transmission of a virus hoax with a real virus attached.
When the attack is masked in a seemingly legitimate
message, unsuspecting users more readily distribute it.

Backdoors
Using a known or previously unknown and newly
discovered access mechanism, an attacker can gain access
to a system or network resource through a back door.
Sometimes these entries are left behind by system
designers or maintenance staff, and thus are called trap.

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Methods of Attack
• Password Crack
Attempting to reverse-calculate a password is often called cracking. A cracking
attack is a component of many dictionary attacks . It is used when a copy of the
Security Account Manager (SAM) data file, which contains hashed representation of
the user’s password, can be obtained. A password can be hashed using the same
algorithm and compared to the hashed results. If they are the same, the password
has been cracked.
• Brute Force
• The application of computing and network resources to try every possible
password combination is called a brute force attack. Since the brute force attack is
often used to obtain passwords to commonly used accounts, it is sometimes
called a password attack

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Methods of Attack
• Dictionary
• The dictionary attack is a variation of the brute force attack which
narrows the field by selecting specific target accounts and using a list of
commonly used passwords (the dictionary) instead of random
combinations.
• Denial-of-Service (DOS)
• In a denial-of-service (DoS) attack, the attacker sends a large number of
connection or information requests to a target (see Figure 2-11). So many
requests are made that the target system becomes overloaded and
cannot respond to legitimate requests for service. The system may crash
or simply become unable to perform ordinary functions

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Methods of Attack

• Distributed Denial-of-Service (DDOS )

• A distributed denial of-service (DDoS) is an attack in which a
coordinated stream of requests is launched against a target from many
locations at the same time.
• DDoS attacks are the most difficult to defend against, and there are
presently no controls that any single organization can apply

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 DDOS

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Methods of Attack

• Spoofing
• Spoofing is a technique used to gain unauthorized access to computers, wherein
the intruder sends messages with a source IP address that has been forged to
indicate that the messages are coming from a trusted host.
• Man-in-the middle
• In the well-known man-in-the-middle or TCP hijacking attack, an attacker
monitors (or sniffs) packets from the network, modifies them, and inserts them
back into the network. This type of attack uses IP spoofing to enable an attacker
to impersonate another entity on the network. It allows the attacker to
eavesdrop as well as to change, delete, reroute, add, forge, or divert data.

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Methods of Attack
• Spam
• Spam is unsolicited commercial e-mail.
• Mail Bombing
• Another form of e-mail attack that is also a DoS is called a mail bomb, in which
an attacker routes large quantities of e-mail to the target. This can be
accomplished by means of social engineering (to be discussed shortly) or by
exploiting various technical flaws in the Simple Mail Transport Protocol (SMTP).
• Sniffers
• A sniffer is a program or device that can monitor data traveling over a network.
Sniffers can be used both for legitimate network management functions and for
stealing information. Unauthorized sniffers can be extremely dangerous to a
network’s security, because they are virtually impossible to detect and can be
inserted almost anywhere

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Methods of Attack
• Social Engineering
• In the context of information security, social engineering is the
process of using social skills to convince people to reveal access
credentials or other valuable information to the attacker.
• Phishing
• Phishing is an attempt to gain personal or financial information
from an individual, usually by posing as a legitimate entity. Phishing
attacks gained national recognition with the AOL phishing attacks
that were widely reported in the late 1990s, in which individuals
posing as AOL technicians attempted to get logon credentials from
AOL subscribers.

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 METHODS OF ATTACKS
• A variant is spear phishing, a label that applies to any highly targeted
phishing attack. While normal phishing attacks target as many recipients as
possible, a spear phisher sends a message that appears to be from an
employer, a colleague, or other legitimate correspondent, to a small group or
even one specific person. This attack is sometimes used to target those who
use a certain product or Web site.

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Methods of Attack

Phishing attacks use three primary techniques, often in

combination with one another:
• URL manipulation,
• Web site forgery, and
• phone phishing.
• In URL manipulation, attackers send an HTML embedded e-
mail message, or a hyperlink whose HTML code opens a forged
Web site.

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Methods of Attack

Phishing attacks use three primary techniques, often

in combination with one another:
1. URL manipulation,
2. Web site forgery, and
3. phone phishing.
In URL manipulation, attackers send an HTML
embedded e-mail message, or a hyperlink whose
HTML code opens a forged Web site.

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Methods of Attack
• In a forged Web site the page looks legitimate; indeed, when users click
on either of the bottom two buttons—Personal Banking Demo or Enroll in
RegionsNet, they are directed to the authentic bank Web page
• Phone phishing is pure social engineering. The attacker calls a victim on
the telephone and pretends to be someone they are not (a practice
sometimes called pretexting) in order to gain access to private or
confidential information such as health or employment records or
financial information. They may impersonate someone who is known to
the potential victim only by reputation.

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Methods of Attack
• Pharming
• Pharming is “the redirection of legitimate Web traffic (e.g., browser
requests) to an illegitimate site for the purpose of obtaining private
information. Pharming often uses Trojans, worms, or other virus
technologies to attack the Internet browser’s address bar so that the valid
URL typed by the user is modified to that of the illegitimate Web site.
• Timing Attack
• A timing attack explores the contents of a Web browser’s cache and stores
a malicious cookie on the client’s system.

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 SECURE SOFTWARE DEVELOPMENT

• Systems consist of hardware, software, networks, data, procedures, and

people using the system.
• The development of systems and the software they use is often
accomplished using a methodology, such as the systems development life
cycle (SDLC). Many organizations recognize the need to include planning
for security objectives in the SDLC they use to create systems, and have
put in place procedures to create software that is more able to be
deployed in a secure fashion. This approach to software development is
known as software assurance, or SA.

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 SOFTWARE DEVELOPMENT SECURITY
PROBLEMS
• Command Injection
• Command injection problems occur when user input is passed directly to
a compiler or interpreter. The underlying issue is the developer’s failure
to ensure that command input is validated before it is used in the
program
• @echo off
• set /p myVar=”Enter the string>”
• set someVar=%myVar%
• echo %somevar%

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 SOFTWARE DEVELOPMENT SECURITY
PROBLEMS
• Cross-site Scripting
• Cross site scripting (or XSS) occurs when an application running on a
Web server gathers data from a user in order to steal it. An attacker
can use weaknesses in the Web server environment to insert
commands into a user’s browser session.
• Failure to Handle Errors
• Failure to handle errors can cause a variety of unexpected system
behaviors. Programmers are expected to anticipate problems and
prepare their application code to handle them.

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 SOFTWARE DEVELOPMENT SECURITY
PROBLEMS
• Failure to Protect Network Traffic
• With the growing popularity of wireless networking comes a
corresponding increase in the risk that wirelessly transmitted data will
be intercepted. Without appropriate encryption (such as that afforded
by WPA), attackers can intercept and view your data.
• Failure to Store and Protect Data Securely
• Failure to properly implement sufficiently strong access controls makes
the data vulnerable. Overly strict access controls hinder business users
in the performance of their duties.

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 SOFTWARE DEVELOPMENT SECURITY
PROBLEMS
• Failure to Use Cryptographically Strong Random Numbers
• These “random” number generators use a mathematical algorithm, based
on a seed value and another other system component (such as the
computer clock) to simulate a random number. Those who understand the
workings of such a “random” number generator can predict particular
values at particular times.
• Format String Problems
• An attacker may embed characters that are meaningful as formatting
directives (e.g., %x, %d, %p, etc.) into malicious input; if this input is then
interpreted by the program as formatting directives (such as an argument
to the C printf function), the attacker may be able to access information or
overwrite very targeted portions of the program’s stack with data of the
attacker’s choosing.

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 SOFTWARE DEVELOPMENT SECURITY
PROBLEMS
• Neglecting Change Control
• Developers use a process known as change control to ensure that the working system
delivered to users represents the intent of the developers. Early in the development
process, change control ensures that developers do not work at cross purposes by
altering the same programs or parts of programs at the same time. Once the system
is in production, change control processes ensure that only authorized changes are
introduced and that all changes are adequately tested before being released.
• Improper File Access
• If an attacker changes the expected location of a file by intercepting and modifying a
program code call, the attacker can force a program to use files other than the ones
the program is supposed to use. This type of attack could be used to either substitute
a bogus file for a legitimate file (as in password files), or trick the system into running
a malware executable.

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 SOFTWARE DEVELOPMENT SECURITY
PROBLEMS
• Improper Use of SSL
• While most programmers assume that using SSL guarantees security,
unfortunately they more often than not mishandle this technology. SSL and its
successor, Transport Layer Security (TLS), both need certificate validation to be
truly secure. Failure to use Hypertext Transfer Protocol Secure (HTTPS), to
validate the certificate authority and then validate the certificate itself, or to
validate the information against a certificate revocation list (CRL), can
compromise the security of SSL traffic.
• Information Leakage
• One of the most common methods of obtaining inside and classified
information is directly or indirectly from an individual, usually an employee.
• By warning employees against disclosing information, organizations can protect
the secrecy of their operation.

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 SOFTWARE DEVELOPMENT SECURITY
PROBLEMS
• Race Conditions
• A race condition occurs, for example, when a program creates a temporary file, and an
attacker is able to replace it between the time it is created and the time it is used. A race
condition can also occur when information is stored in multiple memory threads if one
thread stores information in the wrong memory location, by accident or intent.
• SQL Injection
• SQL injection occurs when developers fail to properly validate user input before using it to
query a relational database. For example, a fairly innocuous program fragment expects
the user to input a user ID and then perform a SQL query against the USERS table to
retrieve the associated name:
• Ex.
• Accept USER-ID from console; SELECT USERID, NAME FROM USERS WHERE USERID =
USER-ID;

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 SOFTWARE DEVELOPMENT SECURITY
PROBLEMS
• Trusting Network Address Resolution
• In the last type of attack, if the attacker discovers a delay in a name
server (or can introduce one, as in a denial of service attack) they can
set up another server to respond as if it were the actual DNS server,
before the real DNS server can.
• Unauthenticated Key Exchange
• It is when an attacker writes a variant of a public key system and
places it out as “freeware,” or corrupts or intercepts the function of
someone else’s public key encryption system, perhaps by posing as a
public key repository.

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 SOFTWARE DEVELOPMENT SECURITY
PROBLEMS
• Use of Magic URLs and Hidden Forms
• Too often sensitive state information is simply included in a “magic” URL
(for example, the authentication ID is passed as a parameter in the URL for
the exchanges that will follow) or included in hidden form fields on the
HTML page.
• If this information is stored as plain text, an attacker can harvest the
information from a magic URL as it travels across the network, or use
scripts on the client to modify information in hidden form fields.

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 SOFTWARE DEVELOPMENT SECURITY
PROBLEMS
• Use of Weak Password-Based Systems
• Failure to require sufficient password strength, and to control
incorrect password entry, is a serious security issue.
• Systems that do not validate passwords, or store passwords in easy-
to-access locations, are ripe for attack.
• the strength of a password determines its ability to withstand a brute
force attack. Using non-standard password components (like the 8.3
rule—at least 8 characters, with at least one letter, number, and non-
alphanumeric character) can greatly enhance the strength of the
password.

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 SOFTWARE DEVELOPMENT SECURITY
PROBLEMS
• Poor Usability
• Employees prefer doing things the easy way. When faced with an
“official way” of performing a task and an “unofficial way”—which is
easier—they prefer the easier method. The only way to address this
issue is to only provide one way—the secure way! Integrating security
and usability, adding training and awareness, and ensuring solid
controls all contribute to the security of information. Allowing users to
default to easier, more usable solutions will inevitably lead to loss

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 LEGAL, ETHICAL AND PROFESSIONAL ISSUES IN
INFORMATION SECURITY
Law and Ethics in Information Security

• Laws
• Rules that mandate or prohibit certain behavior
• Drawn from ethics

• Ethics
• Define socially acceptable behaviors

• Key difference
• Laws carry the authority of a governing body
• Ethics do not carry the authority of a governing body
• Based on cultural mores
• Fixed moral attitudes or customs
• Some ethics standards are universal

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Organizational Liability and the Need for Counsel
• Liability
• Legal obligation of organization
• Extends beyond criminal or contract law
• Include legal obligation to restitution
• Employee acting with or without the authorization performs
and illegal or unethical act that causes some degree of harm
• Employer can be held financially liable
• Due care
• Organization makes sure that every employee knows what is
acceptable or unacceptable
• Knows the consequences of illegal or unethical actions

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Policy Versus law
• Policies
• Guidelines that describe acceptable and unacceptable employee behaviors
• Functions as organizational laws
• Has penalties, judicial practices, and sanctions
• Difference between policy and law
• Ignorance of policy is acceptable
• Ignorance of law is unacceptable
• Keys for a policy to be enforceable
• Dissemination
• Review
• Comprehension
• Compliance
• Uniform enforcement

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Types of Law
• Civil – govern a nation or state-

ex. libel, slander,breach of contract

• Criminal – addresses activities and conduct harmful to public

• Ex. murder, theft, assault, drunken driving

• Private – encompasses family, commercial, labor, and regulates the

relationship between individuals and organizations

• Public – regulates the structure and administration of government

agencies and their relationships with citizens, employees, and other
governments.

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 International Laws and Legal Bodies
Council of Europe Convention on Cybercrime
• International task force
• Designed to oversee range of security functions
• Designed to standardized technology laws across international borders
• Attempts to improve the effectiveness of international investigations into breaches
of technology law
• Concern raised by those concerned with freedom of speech and civil liberties
• Overall goal
• Simplify the acquisition of information for law enforcement agencies in certain types of
international crimes

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Agreement on Trade-Related Aspects of Intellectual
Property Rights
• Created by the World Trade Organization
• Introduced intellectual property rules into the multilateral trade system
• First significant international effort to protect intellectual property rights
• Covers five issues
• How basic principles of the trading system and other international
intellectual property agreements should be applied
• How to give adequate protection to intellectual property rights
• How countries should enforce those rights adequately in their own
territories
• How to settle disputes on intellectual property between members of the
WTO
• Special transitional arrangements during the period when the new
system is being introuced

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Digital Millennium Copyright Act
• American contribution to WTO
• Plan to reduce the impact of copyright, trademark, and privacy infringement
• United Kingdom has implemented a version
• Database Right

Provisions:
• Prohibits the circumvention protections and countermeasures implemented by copyright
owners to control access to protected content
• Prohibits the manufacture of devices to circumvent protections and countermeasures that
control access to protected content
• Bans trafficking in devices manufactured to circumvent protections and countermeasures that
control access to protected content
• Prohibits the altering of information attached or imbedded into copyrighted material
• Excludes Internet service providers from certain forms of contributory copyright infringement

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Ethics and Information Security
• From The Computer Ethics Institute
• 1. Thou shalt not use a computer to harm other people.
• 2. Thou shalt not interfere with other people’s computer work.
• 3. Thou shalt not snoop around in other people’s computer files.
• 4. Thou shalt not use a computer to steal.
• 5. Thou shalt not use a computer to bear false witness.
• 6. Thou shalt not copy or use proprietary software for which you have not paid.
• 7. Thou shalt not use other people’s computer resources without authorization or
proper compensation.
• 8. Thou shalt not appropriate other people’s intellectual output.
• 9. Thou shalt think about the social consequences of the program you are writing
or the system you are designing.
• 10. Thou shalt always use a computer in ways that ensure consideration and
respect for your fellow humans.

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Major IT Professional Organizations

• Association of Computing Machinery

• “World’s first educational and scientific computing society”
• Strongly promotes education
• Provides discounts for student members
• International Information Systems Security Certification Consortium, Inc.
(ISC)2
• Nonprofit organization
• Focuses on the development and implementation of information security
certifications and credentials
• Manages a body of knowledge on information security
• Administers and evaluated examinations for information security certifications

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Major IT Professional Organizations

• Systems Administration, Networking, and Security Institute

(SANS)
• Professional research and education cooperative
• Current membership > 156,000
• Security professionals
• Auditors
• System administrators
• Network administrators
• Offers set of certifications

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Major IT Professional Organizations

• Information Systems Audit and Control Association

• Focuses on auditing, control, and security
• Membership includes technical and managerial professionals
• Does not focus exclusively on information security
• Has many information security components
• Information Systems Security Associations (ISSA)
• Nonprofit society of information security professionals
• Mission – bring together qualified information security practioners
• Information exchange
• Education development
• Focus – “promoting management practices that will ensure the confidentiality,
integrity, and availability of organizational information resources”

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Federal Agencies
• Department of Homeland Security
• Five directorates or divisions
• Mission – protecting the people as well as the physical and
informational assets of the United States
• Directorate of Information and Infrastructure
• Creates and enhances resources used to discover and responds to attacks on
national information systems and critical infrastructure
• Directorate of Science and Technology
• Research and development activities in support of homeland defense
• Examination of vulnerabilities
• Sponsors emerging best practices

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 Cyber security in the philippines

• The Cybercrime Prevention Act of 2012 (CPA) defines the following as cybercrimes:
• offences against the confidentiality, integrity and availability of computer data and systems
(illegal access, illegal interception, data interference, system interference, misuse of devices
and cybersquatting);
• computer-related offences (computer-related forgery, computer-related fraud and computer-
related identity theft); and
• content-related offences (cybersex, child pornography, unsolicited commercial communications
and libel).
• The CPA appointed the National Bureau of Investigation (NBI) and the Philippine National
Police (PNP) as enforcement authorities and regulates their access to computer data, creating
the Cybercrime Investigation and Coordinating Center (CICC) as an inter-agency body for policy
coordination and enforcement of the national cybersecurity plan, and an Office of Cybercrime
within the Department of Justice (DOJ-OC) for international mutual assistance and extradition

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 • The Electronic Commerce Act of 2000 (ECA) provides for the legal recognition
of electronic documents, messages and signatures for commerce, transactions
in government and evidence in legal proceedings.
• The Access Devices Regulation Act of 1998 (ADRA) penalises various acts of
access device fraud, such as using counterfeit access devices. An access device
is any card, plate, code, account number, electronic serial number, personal
identification number or other telecommunications service, equipment or
instrumental identifier, or other means of account access that can be used to
obtain money, goods, services or any other thing of value, or to initiate a
transfer of funds

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES
 • The Data Privacy Act of 2012 (DPA) regulates the collection and processing of
personal information in the Philippines and of Filipinos, including sensitive
personal information in government; created the National Privacy Commission
(NPC) as a regulatory authority; requires personal information controllers to
implement reasonable and appropriate measures to protect personal
information and notify the NPC and affected data subjects of breaches; and
penalises unauthorised processing, access due to negligence, improper
disposal, processing for unauthorised purposes, unauthorised access or
intentional breach, concealment of security breaches and malicious or
unauthorised disclosure in connection with personal information.

BULACAN STATE UNIVERSITY | COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY IT 306 | MULTIMEDIA TECHNOLOGIES