Information Security

18CSE532
Unit1 chapter1

Dr. Sarojadevi H., Professor, Dept. of CSE

Ref: Principles of Information Security , 6th edition.
By Michael E. Whitman and Herbert J. Mattord,
Kennesaw State University, Cengage learning . 2018.

1
 Syllabus and mapping with text book
• Unit 1: Ch.1 , Introduction to Information
Security & Ch.2, The need for security
• Unit 2: Ch.4, Planning for Security
• Unit 3: Ch.6, Security Technology
• Unit 4: Ch.7, Security Technology
• Unit 5: Ch. 10, Implementing Information
Security & Ch.12 Information Security
maintenance
2
 Unit 1
• Introduction to Information Security:
Introduction, The history of Information
Security, what is security? Critical
characteristics of Information, CNSS security
model, security in the systems development
life cycle.
• The need for security: Threats and Attacks,
deviations in quality of service, software
attacks.
3
 Introduction
• Information security: a “well-informed sense of assurance
that the information risks and controls are in balance.” Jim
Anderson, Inovant (2002)
• Martin Fisher, IT Security Manager at Northside Hospital in
Atlanta, believes that enterprise information security is a
“critical business capability that needs to be aligned with
corporate expectations and culture that provides the
leadership and insight to identify risks and implement
effective controls.”
• Many information security practitioners recognize that
aligning information security needs with business objectives
must be the top priority.
4
 History of Information security
• Computer security in the early days of computers
specified the need to secure the physical location of
computer technology from outside threats.
• This term later came to represent all actions taken
to preserve computer systems from losses.
• It has evolved into the current concept of
information security as the scope of protecting
information in an organization as it has expanded.

5
The History of Information Security
• Began immediately following development first mainframes
• Starts with the concept of computer security
• Developed for code-breaking computations
• During World War II : Enigma example (ref. fig.next)
• Multiple levels of security were implemented
• Physical controls
• During these early years, information security was a
straightforward process composed predominantly of physical
security and simple document classification schemes.
• Defending against physical theft, espionage (spying), and
sabotage (destroy)
6
 Cryptographic device : Enigma
• Multiple levels of security
were implemented to protect
these devices and the
missions they served.
• This required new processes
as well as tried-and-true
methods needed to maintain
data confidentiality.
• Access to sensitive military
locations, for example, was
controlled by means of
badges, keys, and the facial
recognition of authorized
personnel by security guards.
• The growing need to
maintain national security
eventually led to more
complex and technologically
sophisticated computer
security safeguards.
7
 Early 1960 issues beyond control
• One of the first documented security
problems that fell outside these categories
occurred in the early 1960s, when a systems
administrator was working on a MOTD
(message of the day) file while another
administrator was editing the password file.
• A software glitch mixed the two files, and the
entire password file was printed on every
output file.
8
 The 1960s
• During the Cold War, many mainframe computers were brought online to
accomplish complex and sophisticated tasks. These needed less complex
process of communication.
• Original communication by mailing tapes
• Advanced Research Projects Agency (ARPA) , dept. of defense
– Examined feasibility of redundant networked communications for
military exchange of information.
• Larry Roberts developed ARPANET from its inception
• Plan
– Develop networking & Link computers
– Resource sharing for nuclear war
– Link 17 Computer Research Centers
• ARPANET evolved into Internet
9
 1970s and 80s
During the next decade, ARPANET became popular and used widely, increasing
the potential for its misuse. In 1973, Internet pioneer Robert M. Metcalfe
identified fundamental problems with ARPANET security:
• Individual remote sites did not have sufficient controls and safeguards to
protect data from unauthorized remote users.
• Vulnerability of password structure and formats; lack of safety procedures for
dial-up connections; and nonexistent user identification and authorizations.
• Phone numbers were widely distributed and openly publicized on the walls of
phone booths, giving hackers easy access to ARPANET.
• Because of the range and frequency of computer security violations and the
explosion in the numbers of hosts and users on ARPANET, network security
was commonly referred to as network insecurity.
In 1978, Richard Bisbey and Dennis Hollingworth, two researchers in the
Information Sciences Institute at the University of Southern California, published
a study entitled “Protection Analysis: Final Report.” on a project undertaken by
ARPA to understand and detect vulnerabilities in OS Security.

10
 1970s/80s contd..
• In June 1967, ARPA formed a task force to study the process of
securing classified information systems. The task force was
assembled in October 1967 and met regularly to formulate
recommendations, which made up contents of RAND Report R-609.
• RAND Report R-609 by Dept.of Defense:
– Attempted to define the multiple controls and mechanisms necessary for
the protection of a computerized data processing system (marking the
beginning of information security) and considered as starting point of
study of computer security.
– Identified the role of management and policy issues in computer security.
• Next version was released as Security Controls for Computer
Systems: Report of Defense Science Board Task Force on Computer
Security-RAND Report R-609-1.

11
Illustration of computer network vulnerabilities
from RAND Report R-609

12
 Rand Report
• Finds that the wide use of networking components in
military information systems introduced security risks that
could not be mitigated by the routine practices used at that
time to secure these systems.
• Several vulnerabilities can exist in the system.
• The scope of computer security expanded significantly from
the safety of physical locations and hardware to include:
– Securing the data
– Limiting random and unauthorized access to that data
– Involving personnel from multiple levels of the organization in
information security

13
Main dates on information Security

14
 MULTICS project and the security
(Multiplexed Information and Computing Service)
• The first operating system to integrate security into its core
functions; had security levels & passwords.
• Mainframe, time-sharing OS developed in mid-1960s by GE, Bell
Labs, and MIT ; now obsolete
• Several MULTICS developers created UNIX, mainly for text
processing
• Unix did not have security level /passwords.
• Late 1970s
– Microprocessor expanded computing capabilities
– Mainframe presence reduced
– Expanded security threats
15
 1980s
• Decentralization of data processing systems in the 1980s gave rise to networking; the
interconnecting of PCs and mainframe computers, which enabled the computing
community to make all its resources work together.
• In the early 1980s, TCP (the Transmission Control Protocol) and IP (the Internet Protocol)
were developed and became the primary protocols for the ARPANET, eventually becoming
the protocols on the Internet even now.
• Also during this time frame, DNS, the hierarchical Domain Name System, was developed.
The first dial-up Internet service provider (ISP) came online, allowing home users to access
the Internet.
• Prior to that, vendors like CompuServe, GEnie, Prodigy, and Delphi had provided dial-up
access for online computer services, while independent Bulletin Board Systems (BBSs)
became popular for sharing information among their subscribers.
• In the mid-1980s, the U.S. Government passed several key pieces of legislation that
formalized the recognition of computer security as a critical issue for federal information
systems. The Computer Fraud and Abuse Act of 1986 and the Computer Security Act of
1987 defined computer security and specified responsibilities and associated penalties.
• In 1988, the Defense Advanced Research Projects Agency (DARPA) within the Department
of Defense created the Computer Emergency Response Team (CERT) to address network
security.
16
 The 1990s
• Networks of computers became more common=> Internet -> network of
networks & these are commercialized.
• Need to interconnect networks grew.
• Initially based on de facto standards; not industry standards; could not
ensure the security of information.
• In early Internet deployments, security was treated as a low priority; As
networked computers became the dominant style of computing, the
ability to physically secure a networked computer was lost, and the
stored information became more exposed to security threats.
• In the late 1990s and into the 2000s, many large corporations began
publicly integrating security into their organizations. Antivirus products
became extremely popular, and information security began to emerge as
an independent discipline.
Principles of Information Security,
17
Fourth Edition
 2000 to Present
• Millions of computer networks communicate
• Many of the communication unsecured.
• Ability to secure a computer’s data influenced
by the security of every computer to which it
is connected.
• Growing threat of cyber attacks has increased
the need for improved security.

Principles of Information Security,

18
Fourth Edition
 2000 to present (contd..)
• The Internet brings millions of unsecured computer networks and billions of computer
systems into continuous communication with each other.
• The security of each computer’s stored information is contingent on the security level of
every other computer to which it is connected.
• Recent years have seen a growing awareness of the need to improve information security,
as well as a realization that information security is important to national defense.
• The growing threat of cyber attacks has made governments and companies more aware
of the need to defend the computerized control systems of utilities and other critical
infrastructure.
• Another growing concern is the threat of nation-states engaging in information warfare,
and the possibility that business and personal information systems could become
casualties if they are undefended.
• Since 2000, Sarbanes-Oxley and other laws related to privacy and corporate responsibility
have affected computer security.
• The attack on the World Trade Centers on September 11, 2001 resulted in major
legislation changes related to computer security, specifically to facilitate law
enforcement’s ability to collect information about terrorism.

19
• Security is protection.
Protection from
What is Security?
adversaries—those who
would do harm,
intentionally or otherwise
—is the ultimate objective
of security.
• National security, for
example, is a multilayered
system that protects the
sovereignty of a state, its
assets, its resources, and
its people.
• Achieving the appropriate
level of security for an
organization also requires
a multifaceted system.
• A successful organization
should have multiple
layers of security in place
to protect its operations,
physical infrastructure,
people, functions,
communications, and
information. 20
Explaining the figures CIA triad etc.
• The Committee on National Security Systems (CNSS) defines information security as the
protection of information and its critical elements, including the systems and hardware
that use, store, and transmit the information.
• First fig. (previous) shows components of information security having the broad areas of
information security management, data security, and network security.
• The CNSS model of information security evolved from a concept developed by the
computer security industry called the C.I.A. triad. The C.I.A. triad is the standard for
computer security in both industry and government since the development of the
mainframe.
• This standard is based on the three characteristics of information that give it value to
organizations: confidentiality, integrity, and availability.
• C.I.A. triad model is generally viewed as no longer adequate in addressing the constantly
changing environment. The threats to the confidentiality, integrity, and availability of
information have evolved into a vast collection of events, including accidental or
intentional damage, destruction, theft, unintended or unauthorized modification, or other
misuse from human or nonhuman threats.
• The constantly evolving threats have prompted the development of a more robust model
that addresses the complexities of the current information security environment. C.I.A.
triad terminology is dealt here because of the breadth of material that is based on it.
21
Information security concepts

22
Key Information Security Concepts
• Access • Protection Profile or
• Asset Security Posture
• Attack • Risk
• Control, Safeguard, or • Subjects and Objects
Countermeasure • Threat
• Exploit • Threat Agent, threat
• Exposure event, threat source
• Loss • Vulnerability
Principles of Information Security,
23
Fourth Edition
 Concepts: Terminologies
• Access: A subject or object’s ability to use, manipulate, modify, or affect
another subject or object. Authorized users have legal access to a system,
whereas hackers must gain illegal access to a system. Access controls regulate
this ability.
• Asset: The organizational resource that is being protected. An asset can be
logical, such as a Web site, software information, or data; or an asset can be
physical, such as a person, computer system, hardware, or other tangible
object. Assets, particularly information assets, are the focus of what security
efforts are attempting to protect.
• Attack: An intentional or unintentional act that can damage or otherwise
compromise information and the systems that support it. Attacks can be
active or passive, intentional or unintentional, and direct or indirect.
– Someone who casually reads sensitive information not intended for his or her use is
committing a passive attack.
– A hacker attempting to break into an information system is an intentional attack (active).
– A lightning strike that causes a building fire is an unintentional attack.
– A direct attack is perpetrated by a hacker using a PC to break into a system.
– An indirect attack is a hacker compromising a system and using it to attack other systems—
for example, as part of a botnet (slang for robot network).
24
 Terminologies (contd..)
• Attack (contd..) : botnets (indirect) is a group of
compromised computers, running software of the
attacker’s choice; can operate autonomously or
under the attacker’s direct control to attack systems
and steal user information or conduct distributed
denial-of-service attacks.
• Direct attacks originate from the threat itself.
Indirect attacks originate from a compromised
system or resource that is malfunctioning or
working under the control of a threat.
25
 Terminologies (contd..)
• Control, safeguard, or countermeasure: Security mechanisms,
policies, or procedures that can successfully counter attacks, reduce
risk, resolve vulnerabilities, and otherwise improve security within an
organization.
• Exploit: A technique used to compromise a system. This term can be
a verb or a noun. Threat agents may attempt to exploit a system or
other information asset by using it illegally for their personal gain. Or,
an exploit can be a documented process to take advantage of a
vulnerability or exposure, usually in software, that is either inherent
in the software or created by the attacker. Exploits make use of
existing software tools or custom-made software components.
• Exposure: A condition or state of being exposed; in information
security, exposure exists when a vulnerability is known to an attacker.

26
 Terminologies (contd..)
• Loss: A single instance of an information asset suffering damage or
destruction, unintended or unauthorized modification or disclosure, or
denial of use. When an organization’s information is stolen, it has
suffered a loss.
• Protection profile or security posture: The entire set of controls and
safeguards, including policy, education, training and awareness, and
technology, that the organization implements to protect the asset. The
terms are sometimes used interchangeably with the term security
program, although a security program often comprises managerial
aspects of security, including planning, personnel, and subordinate
programs.
• Risk: The probability of an unwanted occurrence, such as an adverse
event or loss. Organizations must minimize risk to match their risk
appetite—the quantity and nature of risk they are willing to accept.

27
 Terminologies …
• Subjects and objects of
attack: A computer can be
either the subject of an
attack—an agent entity used
to conduct the attack—or the
object of an attack: the
target entity, as shown in fig.
• A computer can also be both
the subject and object of an
attack. For example, it can be
compromised by an attack
(object) and then used to
attack other systems
(subject).

28
 Terminologies …
• Threat: Any event or circumstance that has the potential to adversely
affect operations and assets. The term threat source is commonly used
interchangeably with the more generic term threat. We use the term
threat to describe threat sources.
• Threat agent: The specific instance or a component of a threat. For
example, the threat source of “trespass or espionage” is a category of
potential danger to information assets, while “external professional
hacker” (like Kevin Mitnick, who was convicted of hacking into phone
systems) is a specific threat agent.
– A lightning strike, hailstorm, or tornado is a threat agent that is part of the
threat source known as “acts of God/acts of nature.”

• Threat event: An occurrence of an event caused by a threat agent. An

example of a threat event might be damage caused by a storm. This term
is commonly used interchangeably with the term attack.
29
 Terminologies …
• Threat source: A category of objects, people, or other entities that
represents the origin of danger to an asset—in other words, a
category of threat agents. Threat sources are always present and can
be purposeful or undirected. For example, threat agent “hackers,” as
part of the threat source “acts of trespass or espionage,” purposely
threaten unprotected information systems, while threat agent
“severe storms,” as part of the threat source “acts of God/acts of
nature,” incidentally threaten buildings and their contents.
• Vulnerability: A potential weakness in an asset or its defensive
control system(s). Some examples of vulnerabilities are a flaw in a
software package, an unprotected system port, and an unlocked
door. Some well-known vulnerabilities have been examined,
documented, and published; others remain latent (or undiscovered).

30
 Characteristics of Information
• The value of information comes from the characteristics it possesses.
• When a characteristic of information changes, the value of that information
either increases or decreases (common).
• Some characteristics affect information’s value to users more than others,
depending on circumstances.
• For example, timeliness of information can be a critical factor because
information loses much or all of its value when delivered too late.
• Though information security professionals and end users share an
understanding of the characteristics of information, tensions can arise when
the need to secure information from threats conflicts with the end users’
need for unhindered access to it.
• For instance, end users may perceive a .1-second delay in the computation of
data to be an unnecessary annoyance. Information security professionals,
however, may perceive .1 seconds as a minor delay that enables an
important task, like data encryption.

31
 Critical Characteristics of Information
• The value of information comes from the
characteristics it possesses:
– Availability
– Accuracy
– Authenticity
– Confidentiality
– Integrity
– Possession
– Utility
Principles of Information Security,
32
Fourth Edition
Critical characteristics of Information (extended from
CIA - confidentiality, integrity & availability) : Availability
Availability : An attribute of information that describes how data is
accessible and correctly formatted for use without interference or
obstruction.
• Availability enables authorized users—people or computer systems—to
access information without interference or obstruction and to receive it
in the required format.
• Consider, for example, research libraries that require identification
before entrance. Librarians protect the contents of the library so that
they are available only to authorized patrons. The librarian must accept
a patron’s identification before the patron has free access to the book
stacks. Once authorized patrons have access to the stacks, they expect
to find the information they need in a usable format and familiar
language. In this case, the information is bound in a book that is written
in English.

33
 Accuracy

Accuracy: An attribute of information that describes how data is free of

errors and has the value that the user expects. Information has accuracy
when it is free from mistakes or errors and has the value that the end user
expects.
• If information has been intentionally or unintentionally modified, it is no
longer accurate.
• Consider a checking account, for example. You assume that the
information in your account is an accurate representation of your
finances. Incorrect information in the account can result from external
or internal errors. If a bank teller, for instance, mistakenly adds or
subtracts too much money from your account, the value of the
information is changed. Or, you may accidentally enter an incorrect
amount into your account register. Either way, an inaccurate bank
balance could cause you to make other mistakes, such as bouncing a
check.
34
 Authenticity
Authenticity: An attribute of information that describes how data is genuine
or original rather than reproduced or fabricated.
• Authenticity of information is the quality or state of being genuine or
original, rather than a reproduction or fabrication. Information is
authentic when it is in the same state in which it was created, placed,
stored, or transferred.
• Consider for a moment some common assumptions about e-mail. When
you receive e-mail, you assume that a specific individual or group created
and transmitted the e-mail—you assume you know its origin. This is not
always the case.
• E-mail spoofing, the act of sending an e-mail message with a modified
field, is a problem for many people today because the modified field
often is the address of the originator. Spoofing the sender’s address can
fool e-mail recipients into thinking that the messages are legitimate
traffic, thus inducing them to open e-mail they otherwise might not have.
35
 Confidentiality
Confidentiality: An attribute of information that describes how data
is protected from disclosure or exposure to unauthorized individuals
or systems; Related to Privacy.
• Information has confidentiality when it is protected from
disclosure or exposure to unauthorized individuals or systems.
Confidentiality ensures that only users with the rights, privileges,
and need to access information are able to do so. When
unauthorized individuals or systems view information, its
confidentiality is breached.
• Measures to protect confidentiality:
• Information classification
• Secure document storage
• Application of general security policies
Refer to• page 17 on example
Education scenarioscustodians
of information of and end users
unintentional disclosures
36
 Confidentiality ..
• The value of confidentiality is especially high for personal information about employees,
customers, or patients.
• People who transact with an organization expect that their personal information will
remain confidential, whether the organization is a federal agency, such as the Internal
Revenue Service, a healthcare facility, or a business.
• Problems arise when companies disclose confidential information. Sometimes this
disclosure is intentional, sometimes by mistake—for example, when confidential
information is mistakenly e-mailed to someone outside the organization rather than to
someone inside it.
• Examples of confidentiality breaches: an employee throwing away a document containing
critical information without shredding it, or a hacker who successfully breaks into an
internal database of a Web-based organization and steals sensitive information about
their clients, such as names, addresses, and credit card numbers.
• As a consumer, you give pieces of personal information in exchange for convenience or
value almost daily. By using a “members” card at a grocery store, you disclose your
spending habits. When you fill out an online survey, you exchange pieces of your personal
history for access to online privileges. When you sign up for a free magazine, Web
resource, or free software application, you provide personally identifiable information
(PII). This may be copied, sold, replicated, distributed, and eventually coalesced into
profiles and even complete dossiers of you and your life.
37
 Integrity
Integrity: An attribute of information that describes how data is
whole, complete, and uncorrupted.
• The integrity of information is threatened when it is exposed to
corruption, damage, destruction, or other disruption of its
authentic state.
• Corruption can occur while information is being stored or
transmitted. Many computer viruses and worms are designed
with the explicit purpose of corrupting data. For this reason, a
key method for detecting a virus or worm is to look for changes
in file integrity, as shown by the file size.
• A method of assuring information integrity is file hashing, in
which a file is read by a special algorithm that uses the bit
values in the file to compute a single large number called a
hash value. The hash value for any combination of bits is
unique.
38
.
 Integrity ..
• If a computer system performs the same hashing algorithm
on a file and obtains a different number than the file’s
recorded hash value, the file has been compromised and the
integrity of the information is lost. Information integrity is the
corner stone of information systems because information is
of no value or use if users cannot verify its integrity.
• Integrity can be lost because of file corruption, noise, data at
low voltage level.
• Solution: redundancy bits, check bits can be used; algorithms,
hash values, and error-correcting codes during transmission
can help maintain integrity of info.

39
 Possession
• Possession: An attribute of information that describes how the data’s ownership or control is
legitimate or authorized.
• The possession of information is the quality or state of ownership or control.
• Information is said to be in one’s possession if one obtains it, independent of format or other
characteristics. While a breach of confidentiality always results in a breach of possession, a
breach of possession does not always lead to a breach of confidentiality.
• For example, assume a company stores its critical customer data using an encrypted file system.
An employee who has quit decides to take a copy of the tape backups and sell the customer
records to the competitor. The removal of the tapes from their secure environment is a breach of
possession. But, because the data is encrypted, neither the former employee nor anyone else
can read it without the proper decryption methods; therefore, there is no breach confidentiality.
• Today, people who are caught selling company secrets face increasingly stiff fines and a strong
likelihood of jail time. Also, companies are growing more reluctant to hire people who have
demonstrated dishonesty in their past.
• Another example might be that of a ransom ware attack in which a hacker encrypts important
information and offers to provide the decryption key for a fee. The attack would result in a breach
of possession because the owner would no longer have possession of the information.

40
 Utility
Utility: An attribute of information that describes how data has
value or usefulness for an end purpose.
• The utility of information is the quality or state of having value
for some purpose or end. In other words, information has value
when it can serve a purpose. If information is available but is
not in a meaningful format to the end user, it is not useful.
• For example, U.S. Census data can quickly become
overwhelming and difficult for a private citizen to interpret;
however, for a politician, the same data reveals information
about residents in a district, such as their race, gender, and age.
This information can help form a politician’s next campaign
strategy.
41
 CNSS security model
• Committee on National Security Systems (CNSS) has
evolved the security model.
• McCumber Cube: A graphical representation of the
architectural approach widely used in computer and
information security; commonly shown as a cube
composed of 3x3x3 cells, similar to a Rubik’s Cube.
• Created by John McCumber in 1991.
• The model is based in part on the CNSS document called
the National Training Standard for Information Systems
Security Professionals, NSTISSI No. 4011 (1994).

42
 The McCumber Cube
• 27 cells represent areas that must be addressed to secure today’s information systems.
To ensure comprehensive system security, each of the 27 areas must be properly
addressed during the security process.
• For example, the intersection of technology, integrity, and storage requires a set of
controls or safeguards that address the need to use technology to protect the integrity
of information while in storage.
• One such control might be a system for detecting host intrusion that protects the
integrity of information by alerting security administrators to the potential
modification of a critical file.
• A common omission from such a model is the need for guidelines and policies that
provide direction for the practices and implementations of technologies..

43
 Components of an information system
• Information system (IS) :The entire set of software,
hardware, data, people, procedures, and networks that
enable the use of information resources in the
organization.
• Physical security: The protection of physical items,
objects, or areas from unauthorized access and misuse.
• The six critical components, viz., hardware, software,
networks, people, procedures, and data enable
information to be input, processed, output, and stored.

44
 Security in the Systems development life
cycle
• Systems development life cycle (SDLC): A methodology for the design
and implementation of an information system.
• The SDLC contains different phases depending on the methodology
deployed, but the general phases include: the investigation, analysis,
design, implementation, and maintenance of an information system.
• Information security should be implemented into every major system in
an organization.
• One approach for implementing information security into an
organization’s information systems is to ensure that security is a
fundamental part of the organization’s systems development life cycle
(SDLC).
• To understand how security is integrated into the systems development
life cycle, you must first understand the foundations of systems
development.
45
 Foundations of System development
• Each organization has a unique set of needs for development of information (and security)
systems. The organization’s culture dictates the nature & types of systems development activities.
Mostly there is use of off-the-shelf applications or work with other forms that specialize in the
development and deployment of information systems.
• For in-house development of systems, they can choose from a variety of development approaches :
including RAD, JAD, Agile, and one of the newest approaches, DevOps (bringing development &
operations together).
• One innovation: While in early development projects, systems owners and software developers
collaborate to define specifications and create systems, an innovative approach known as joint
application development (JAD) added members of the management team and also future users.
• Another innovation that occurred with the JAD approach was to increase the speed at which
requirements were collected and software was prototyped, thus allowing more iterations in the
design process—an approach called rapid application development (RAD).
• This type of development later evolved into a combined approach known as the spiral method, in
which each stage of development was completed in smaller increments, with more frequent
delivery of working software components and the software under development reaching its
intended finished state with each pass through the development process.

46
 Contd..
• Next a collective approach to systems development known as agile or extreme programming
(XP) evolved with aspects of systems development known as Kanban and scrum.
• With the reduced development & testing time, even faster feedback cycles were required to
reduce time to market and shorten feature rollout times.
• When coupled with a need to better integrate the effort of the development team and the
operations team to improve the functionality and security of applications, another model
known as DevOps has begun to emerge.
• DevOps focuses on integrating the need for the development team to provide iterative and
rapid improvements to system functionality and the need for the operations team to improve
security and minimize the disruption from software release cycles.
• By collaborating across the entire software/service lifecycle, DevOps uses a continuous
development model that relies on systems thinking, short feedback loops, and continuous
experimentation and learning.
• Each of these approaches has its advantages and disadvantages, and each can be effective
under the right circumstances. People who work in software development and some
specialty areas of information security support that the software assurance process must be
conversant with each of these methodologies.
• An emerging development has been called SecOps by some. This is a process of using the
DevOps methodologies of an integrated development and operations approach that is
applied to the specification, creation, and implementation of security control systems.

47
 The Systems Development Life cycle
• Methodology: A formal approach to solving a problem
based on a structured sequence of procedures.
• An SDLC is a methodology for the design and
implementation of an information system.
• Using a methodology ensures a rigorous process with
a clearly defined goal and increases the probability of
success. Once a methodology has been adopted, the
key milestones are established and a team is selected
and made accountable for accomplishing the project
goals.
48
Traditional development methods
• Waterfall model: A type of SDLC in which each phase of the
process “flows from” the information gained in the previous
phase, with multiple opportunities to return to previous
phases and make adjustments.
• Each phase begins with the results and information gained
from the previous phase.

6 phases

49
 Investigation
• The first phase, investigation, is the most important. What
problem is the system being developed to solve?
• The investigation phase begins by examining the event or
plan that initiates the process. During this phase, the
objectives, constraints, and scope of the project are specified.
• A preliminary cost-benefit analysis evaluates the perceived
benefits and their appropriate levels of cost. At the
conclusion of this phase and at every phase afterward, a
process will be undertaken to assess economic, technical, and
behavioral feasibilities and ensure that implementation is
worth the organization’s time and effort.

50
 Analysis
• The analysis phase begins with the information
gained during the investigation phase. This phase
consists primarily of assessments of the organization,
its current systems, and its capability to support the
proposed systems.
• Analysts begin by determining what the new system
is expected to do and how it will interact with
existing systems.
• This phase ends with documentation of the findings
and an update of the feasibility analysis.
51
 Logical Design
• Begins creating a systems solution for a business problem.
• In any systems solution, we need to consider business need.
Based on the business need, applications are selected to
provide needed services. The team chooses data support
structures to suit the needed inputs. Finally, specific
technologies are set to implement the physical solution.
• It is the blueprint for the desired solution. The logical design
is implementation independent, means it has no reference to
specific technologies, vendors, or products. It just addresses
how the proposed system will solve the problem at hand.
• Analysts generate estimates of costs and benefits to allow for
a general comparison of available options.
• At the end of this phase, another feasibility analysis is
performed.
52
 Physical design
• During the physical design phase, specific technologies
are selected to support the alternatives identified and
evaluated in the logical design.
• The selected components are evaluated based on a
make-or-buy decision—the option to develop
components in-house or purchase them from a vendor.
• Final designs integrate various components and
technologies.
• After another feasibility analysis, the entire solution is
presented to the organization’s management for
approval.
53
 Implementation
• In the implementation phase, any needed software
is created. Components are ordered, received, and
tested.
• Afterwards, users are trained and supporting
documentation created.
• Once all components are tested individually, they
are installed and tested as a system.
• A feasibility analysis is again prepared, and the
sponsors are then presented with the system for a
performance review and acceptance test.
54
 Maintenance and change
• The maintenance and change phase is the longest and most expensive of the
process.
• This phase consists of the tasks necessary to support and modify the system for
the remainder of its useful life cycle. Even though formal development may
conclude during this phase, the life cycle of the project continues until the team
determines that the process should begin again from the investigation phase.
• At periodic points, the system is tested for compliance, and the feasibility of
continuance versus discontinuance is evaluated.
• Upgrades, updates, and patches are managed.
• As the needs of the organization change, the systems that support the
organization must also change.
• The people who manage and support the systems must continually monitor their
effectiveness in relation to the organization’s environment.
• When a current system can no longer support the evolving mission of the
organization, the project is terminated and a new project is implemented.

55
 Software assurance (SA)
• It is a methodological approach to the development of software that seeks to
build security into the development life cycle rather than address it at later
stages.
• SA attempts to intentionally create software free of vulnerabilities and
provide effective, efficient software that users can deploy with confidence.
• Many of the information security issues facing modern information systems
have their root cause in the software elements of the system.
• Secure systems require secure or at least securable software. The
development of systems and the software they use is often accomplished
using a methodology, such as the SDLC described earlier.
• Many organizations recognize the need to include planning for security
objectives in the SDLC they use to create systems, and have established
procedures to create software that is more capable of being deployed in a
secure fashion. This approach to software development is known as software
assurance, or SA.
56
 Building Security into SDLC
• Organizations are increasingly working to build security into the SDLC to prevent
security problems before they begin.
• A national effort is underway to create a common body of knowledge focused on
secure software development.
• The U.S. Department of Defense launched a Software Assurance Initiative in
2003.
• This initial process was led by Joe Jarzombek and was endorsed and supported by
the Department of Homeland Security (DHS), which joined the program in 2004.
• This program initiative resulted in the publication of the Secure Software
Assurance (SwA) Common Body of Knowledge (CBK).
• A working group drawn from industry, government, and academia was formed to
examine two key questions:
1. What are the engineering activities or aspects of activities that are relevant to
achieving secure software?
2. What knowledge is needed to perform these activities or aspects?
• The SwA CBK serves as a strongly recommended guide to developing more secure
applications.
57
 Main contents of SwA CBK document
• Nature of Dangers
• Fundamental Concepts and Principles
• Ethics, Law, and Governance
• Secure Software Requirements
• Secure Software Design
• Secure Software Construction
• Secure Software Verification, Validation, and Evaluation
• Secure Software Tools and Methods
• Secure Software Processes
• Secure Software Project Management
• Acquisition of Secure Software
• Secure Software Sustainment
58
 Software design principles
• Good software development should result in a finished product that
meets all of its design specifications.
• Information security considerations are a critical component of those
specifications, though that has not always been true. Leaders in software
development J. H. Saltzer and M. D. Schroeder (1975) note that:
“The protection of information in computer systems and the usefulness of set of protection
mechanisms depends upon the ability of a system to prevent security violations. In
practice, producing a system at any level of functionality that actually does prevent all such
unauthorized acts has proved to be extremely difficult. Sophisticated users of most systems
are aware of at least one way to crash the system, denying other users authorized access to
stored information.
Penetration exercises involving a large number of different general-purpose systems all have
shown that users can construct programs that can obtain unauthorized access to
information stored within. Even in systems designed and implemented with security as an
important objective, design and implementation flaws provide paths that bypass the
intended access constraints. Design and construction techniques that systematically exclude
flaws are the topic of much research activity, but no complete method applicable to the
construction of large general-purpose systems exists …”

59
 Common Security Principles
• Economy of mechanism: Keep the design as simple and small as possible.
• Fail-safe defaults: Base access decisions on permission rather than exclusion.
• Complete mediation: Every access to every object must be checked for authority.
• Open design: The design should not be secret, but rather depend on the
possession of keys or passwords.
• Separation of privilege: Where feasible, a protection mechanism should require
two keys to unlock, rather than one.
• Least privilege: Every program and every user of the system should operate using
the least set of privileges necessary to complete the job.
• Least common mechanism: Minimize mechanisms (or shared variables) common
to more than one user and depended on by all users.
• Psychological acceptability: It is essential that the human interface be designed
for ease of use, so that users routinely and automatically apply the protection
mechanisms correctly.

60
 The NIST approach to securing SDLC
• NIST has adopted a simplified SLDC for their approach, based on
five phases: initiation, development/ acquisition, implementation/
assessment, operation/maintenance, and disposal. These loosely
map to the SDLC approach described earlier.
Comparing waterfall phases & NIST SDLC phases:

61
 NIST Advice for Security system
• NIST gives advice on Security; NIST Special Publication 800-64, rev. 2,
provides an overview of the security considerations for each phase of
the SDLC.
• Early integration of security in the SDLC enables agencies to maximize
return on investment in their security programs, through:
– Early identification and mitigation of security vulnerabilities and
misconfigurations resulting in lower cost of security control implementation
and vulnerability mitigation;
– Awareness of potential engineering challenges caused by mandatory security
controls;
– Identification of shared security services and reuse of security strategies and
tools to reduce development cost and schedule while improving security
posture through proven methods and techniques; and
– Facilitation of informed executive decision making through comprehensive risk
management in a timely manner. […]
 Initiation phase
• During this first phase of the development life cycle,
security considerations are key to diligent and early
integration, thereby ensuring that threats, requirements,
and potential constraints in functionality and integration are
considered.
• At this point, security is looked at more in terms of business
risks with input from the information security office.
• For example, an agency may identify a political risk resulting
from a prominent Web site being modified or made
unavailable during a critical business period, resulting in
decreased trust by citizens.
 Security activities for Initiation phase
• Initial delineation of business requirements in terms of
confidentiality, integrity, and availability;
• Determination of information categorization and identification of
known special handling requirements to transmit, store, or create
information such as personally identifiable information; and
• Determination of any privacy requirements.
Early planning and awareness will result in cost and time saving
through proper risk management planning. Security discussions
should be performed as part of (not separately from) the
development project to ensure solid understandings among project
personnel of business decisions and their risk implications to the
overall development project. Refer fig.next.
Relating security considerations in the Initiation phase
 Security activities in
Development/Acquisition phase
• Conduct the risk assessment and use the
results to supplement the baseline security
controls;
• Analyze security requirements;
• Perform functional and security testing;
• Prepare initial documents for system
certification and accreditation; and
• Design security architecture
 Relating security considerations in the
Development/Acquisition phase

Activities and related outputs. 67

Implementation/Assessment Phase
• The system will be installed and evaluated in the organization’s
operational environment.
• Main security activities for this phase include:
– Integrate the information system into its environment;
– Plan and conduct system certification activities in
synchronization with testing of security controls; and
– Complete system accreditation activities.

• Note that the Certification and Authorization (C&A) approach to systems

formerly used by the federal government has evolved into a
comprehensive Risk Management Framework (RMF). As such, the
performance of a risk assessment on the system under development
would replace the C&A process.
68
Activities and Outputs in Implementation
Plans of Action and Milestones (POA&Ms)

69
 Operations and Maintenance in SDLC
• In this phase, systems are in place and operating, enhancements
and/or modifications to the system are developed and tested, and
hardware and/or software is added or replaced.
• The system is monitored for continued performance in accordance
with security requirements and needed system modifications are
incorporated.
• The operational system is periodically assessed to determine how
the system can be made more effective, secure, and efficient.
Operations continue as long as the system can be effectively
adapted to respond to an organization’s needs while maintaining an
agreed-upon risk level.
• When necessary modifications or changes are identified, the system
may reenter a previous phase of the SDLC.

70
 Security activities in Operations &
maintenance phase
• Conduct an operational readiness review;
• Manage the configuration of the system;
• Institute processes and procedures for assured
operations and continuous monitoring of the
information system’s security controls; and
• Perform reauthorization as required.

71
 Security considerations in phase 4

Plans of Action and Milestones (POA&Ms)

72
 Disposal phase
• Here disposal of a system is done and also close out of any contracts are done.
Information security issues associated with information and system disposal should be
addressed explicitly.
• When information systems are transferred, become obsolete, or are no longer usable,
it is important to ensure that government resources and assets are protected.
• Usually, there is no definitive end to a system. Systems normally evolve or transition to
the next generation because of changing requirements or improvements in
technology.
• System security plans should continually evolve with the system.
• The environmental, management, and operational information should still be relevant
and useful in developing the security plan for the follow-on system.
• The disposal activities ensure the orderly termination of the system and preserve the
vital information about the system so that some or all of the information may be
reactivated in the future, if necessary. Particular emphasis is given to proper
preservation of the data processed by the system so that the data is effectively
migrated to another system or archived in accordance with applicable records
management regulations and policies for potential future access.

73
Security activities in disposal phase
• Building and executing a disposal/transition
plan;
• Archival of critical information;
• Sanitization of media; and
• Disposal of hardware and software

74
Security considerations in Disposal phase

75