LECTURE 1

INTRODUCTION
LEARNING OUTCOMES
 To define nature and value of information
 To explain security issues, information
security and information assurance
 To identify disaster recovery and forensics
 To discuss Information assurance analysis
model (MSR model; threats; vulnerabilities;
attacks; countermeasures)
Source: Principles of Information Security
Michael E. Whitman; Herbert J. Mattord
COMPONENTS OF
INFORMATION SECURITY

Source: Principles of Information Security

Michael E. Whitman; Herbert J. Mattord
 KEY INFORMATION
SECURITY CONCEPTS
 Access—A subject or object’s ability to use, manipulate, modify, or
affect another subject or object. Authorized users have legal access
to a system, whereas hackers must gain illegal access to a system.
Access controls regulate this ability.

 Asset—The organizational resource that is being protected. An asset

can be logical, such as a Web site, soft-ware information, or data; or
an asset can be physical, such as a person, computer system,
hardware, or other tangible object. Assets, particularly information
assets, are the focus of what security efforts are attempting to
protect.

 Attack—An intentional or unintentional act that can damage or

otherwise compromise information and the systems that support it.
Source: Principles of Information Security
Michael E. Whitman; Herbert J. Mattord
 KEY INFORMATION
SECURITY CONCEPTS
 Control, safeguard, or countermeasure—Security mechanisms,
policies, or procedures that can successfully counter attacks, reduce
risk, resolve vulnerabilities, and otherwise improve security within an
organization. The various levels and types of controls are discussed
more fully in the following modules.
 Exploit—A technique used to compromise a system. This term can
be a verb or a noun. Threat agents may attempt to exploit a system or
other information asset by using it illegally for their personal gain. Or,
an exploit can be a documented process to take advantage of a
vulnerability or exposure, usually in software, that is either inherent in
the software or created by the attacker. Exploits make use of existing
software tools or custom-made software components.
 Exposure—A condition or state of being exposed; in information
security, exposure exists when a vulnerability is known to an attacker.
Source: Principles of Information Security
Michael E. Whitman; Herbert J. Mattord
KEY INFORMATION
SECURITY CONCEPTS
 Loss—A single instance of an information asset suffering
damage or destruction, unintended or unauthorized modification
or disclosure, or denial of use. When an organization’s
information is stolen, it has suffered a loss.

 Protection profile or security posture—The entire set of

controls and safeguards—including policy, education, training
and awareness, and technology—that the organization
implements to protect the asset. The terms are sometimes used
interchangeably with the term security program, although a
security program often comprises managerial aspects of
security, including planning, personnel, and subordinate
programs.

Source: Principles of Information Security

Michael E. Whitman; Herbert J. Mattord
KEY INFORMATION
SECURITY CONCEPTS
 Risk—The probability of an unwanted occurrence, such as an
adverse event or loss. Organizations must mini-mize risk to
match their risk appetite—the quantity and nature of risk they
are willing to accept.

 Subjects and objects of attack—A computer can be either the

subject of an attack—an agent entity used to conduct the attack
—or the object of an attack: the target entity. See Figure 1-8. A
computer can also be both the subject and object of an attack.
For example, it can be compromised by an attack (object) and
then used to attack other systems (subject).

Source: Principles of Information Security

Michael E. Whitman; Herbert J. Mattord
KEY INFORMATION
SECURITY CONCEPTS
 Threat—Any event or circumstance that has the potential to
adversely affect operations and assets. The term threat source
is commonly used interchangeably with the more generic term
threat. The two terms are technically distinct, but to simplify
discussion, the text will continue to use the term threat to
describe threat sources.

 Threat agent—The specific instance or a component of a

threat.

Source: Principles of Information Security

Michael E. Whitman; Herbert J. Mattord
KEY INFORMATION
SECURITY CONCEPTS
 Threat event—An occurrence of an event caused by a threat
agent

 Threat source—A category of objects, people, or other entities

that represents the origin of danger to an asset—in other words,
a category of threat agents. Threat sources are always present
and can be purposeful or undirected.

 Vulnerability—A potential weakness in an asset or its

defensive control system(s).
KEY CONCEPTS OF
INFORMATION SECURITY
 C.I.A Triad
 The industry standard for
computer security since the
development of the
mainframe; the standard is
based on three
characteristics that describe
the attributes of information
that are important to protect:
confidentiality, integrity,
and availability.

Source: Principles of Information Security

Michael E. Whitman; Herbert J. Mattord
C.I.A
 Confidentiality
 Data confidentiality: Assures that confidential information is
not disclosed to unauthorized individuals
 Privacy: Assures that individual control or influence what
information may be collected and stored
 Integrity
 Data integrity: assures that information and programs are
changed only in a specified and authorized manner
 System integrity: Assures that a system performs its
operations in unimpaired manner
 Availability: assure that systems works promptly and service is
not denied to authorized users
Other concepts to a complete
security picture
 Authenticity: the property of being genuine
and being able to be verified and trusted;
confident in the validity of a transmission, or a
message, or its originator
 Accountability: generates the requirement
for actions of an entity to be traced uniquely
to that individual to support nonrepudiation,
deference, fault isolation, etc
Activity 1
 Discuss C.I.A
 Find the Malaysia laws that have been
enacted to protect the privacy of electronic
data
DISASTER RECOVERY
 Disaster recovery
Disaster recovery is the process, policies and procedures
related to:
- Preparing for recovery or.
- Continuation of technology infrastructure which are critical to
an organization after a natural or human-induced disaster.

Disaster recovery is a subset of business continuity. While

business continuity involves planning for keeping all aspects of
a business functioning in the midst of disruptive events,
disaster recovery focuses on the IT or technology systems that
support business functions.
 A business continuity plan (BCP)
A business continuity plan (BCP) includes planning for:
 non-IT related aspects such as key personnel, facilities, crisis
communication and reputation protection, and
should refer to the disaster recovery plan (DRP) for IT related
infrastructure recovery / continuity.
:Note

Disaster recovery planning is a subset of a larger process

known as business continuity planning and should include
planning for resumption of applications, data, hardware,
communications (such as networking) and other IT
infrastructure.
 Classification of Disasters
Disasters can be classified in TWO (2) broad categories:

1.Natural disasters such as floods, hurricanes, tornadoes or earthquakes.

2.Man made disasters. These include hazardous material spills, infrastructure
failure, or bio-terrorism

Can we avoid or decrease the losses due to these disasters by:

1.Preventing the disaster.
2.Measures such as good planning
While p
reventing a natural disaster is very difficult, measures such as good
planning which includes mitigation measures can help reduce or avoid losses.
In these instances surveillance and mitigation planning are invaluable
towards avoiding or lessening losses from these events.
Control measures in recovery plan
 Control measures are steps or mechanisms that can reduce or
eliminate various threats for organizations.
 Different types of measures can be included in BCP/DRP:

These types of measures are:

• Preventive measures - These controls are aimed at preventing an
event from occurring.
• Detective measures - These controls are aimed at detecting or
discovering unwanted events.
• Corrective measures - These controls are aimed at correcting or
restoring the system after disaster or event.

These controls should be always documented and tested regularly

Assume that you are a disaster recovery planner in e-business
company, what are the steps that you have to follow to
determine the most suitable recovery strategy ?
1- Refer to the organization's business continuity plan which should indicate the key
metrics of :
• Recovery Point Objective (RPO) and
• Recovery Time Objective (RTO) for various business processes (such as the
process to run payroll, generate an order, etc.).
2- The metrics specified for the business processes must then be mapped to the
underlying IT systems and infrastructure that support those processes.
3- Once the RTO and RPO metrics have been mapped to IT infrastructure, the DR
planner can determine the most suitable recovery strategy for each system.
An important note here however is that the business ultimately sets the IT budget and
therefore the RTO and RPO metrics need to fit with the available budget. While most
business unit heads would like zero data loss and zero time loss, the cost associated
with that level of protection may make the desired high availability solutions
impractical.
What are the most common strategies for data
protection (data recovery system)?
• Backups made to tape and sent off-site at regular intervals.

• Backups made to disk on-site and automatically copied to

off-site disk, or made directly to off-site disk.

• Replication of data to an off-site location, which overcomes

the need to restore the data (only the systems then need to
be restored or synchronized). This generally makes use of
storage area network (SAN) technology.

• High availability systems which keep both the data and

system replicated off-site, enabling continuous access to
systems and data
 Other choice
In many cases, an organization may elect to
use an outsourced disaster recovery provider
to provide a stand-by site and systems rather
than using their own remote facilities.
 Precautionary Measures
In addition to preparing for the need to recover systems,
organizations must also implement precautionary measures
with an objective of preventing a disaster in the first place.

These may include some of the following:

• Local mirrors of systems and/or data and use of disk
protection technology such as RAID
• Surge protectors — to minimize the effect of power surges on
delicate electronic equipment
• Uninterruptible power supply (UPS) and/or backup generator
to keep systems going in the event of a power failure
• Fire preventions — alarms, fire extinguishers
• Anti-virus software and other security measures
FORENSICS
 Forensics

Forensic science (often shortened to forensics) is the application

of a broad spectrum of sciences to answer questions of interest to
a legal system. This may be in relation to a crime or a civil action.

In modern use, the term "forensics" in the place of "forensic

science" can be considered correct as the term "forensic" is
effectively a synonym for "legal" or "related to courts".
 Digital forensics

Digital forensics (sometimes known as digital forensic

science) is a branch of forensic science encompassing the
recovery and investigation of material found in digital
devices, often in relation to computer crime. The term
digital forensics was originally used as a synonym for
computer forensics but has expanded to cover
investigation of all devices capable of storing digital data.
 Digital evidence or electronic
evidence

Digital evidence or electronic evidence is

any probative information stored or
transmitted in digital form that a party
to a court case may use at trial.
 Digital forensics
Investigations can fall into one of four categories:

1. Forensic Analysis: it is the most common type, in which evidence is recovered to

support or refute a hypothesis before a criminal court.

2. Intelligence Gathering: it is closely related to Forensic Analysis, in which material is

intended to identify other suspects/crimes.

3. eDiscovery: is a form of discovery related to civil litigation.

4. Intrusion Investigation: is a specialist investigation into the nature and extent of an

unauthorized network intrusion.

The technical aspect of an investigation is divided into several sub-branches includes:

computer forensics.
network forensics.
database forensics.
mobile device forensics.
 Computer Forensics

 Computer Forensics is the art and science of applying

computer science knowledge and skills to aid the legal process.

 The primary goals in computer forensics are collecting,

preserving, filtering, and presenting digital artifacts of
potential evidentiary value.

 Computer Forensics Investigator: is an expert in computer

forensics who perform the investigation process to retrieve
computer evidence.
 Phases Of Computer Forensics Investigation
Suppose that you are Computer Forensics Investigator, lists the steps you should
follow to retrieve computer evidence:
1. Secure the computer system to ensure that the equipment and data are safe.
This means the detectives must make sure that no unauthorized individual can
access the computers or storage devices involved in the search. If the computer
system connects to the Internet, detectives must sever the connection.

2. Find every file on the computer system, including files that are encrypted,
protected by passwords, hidden or deleted, but not yet overwritten.
Investigators should make a copy of all the files on the system. This includes files
on the computer's hard drive or in other storage devices. Since accessing a file
can alter it, it's important that investigators only work from copies of files while
searching for evidence. The original system should remain preserved and intact.

3. Recover as much deleted information as possible using applications that can

detect and retrieve deleted data.

4. Reveal the contents of all hidden files with programs designed to detect the
presence of hidden data.
 Phases Of Computer Forensics
5. Decrypt and access protected files.

6. Analyze special areas of the computer's disks, including parts that are normally
inaccessible. (In computer terms, unused space on a computer's drive is called
unallocated space. That space could contain files or parts of files that are
relevant to the case.).

7. Document every step of the procedure. It's important for detectives to provide
proof that their investigations preserved all the information on the computer
system without changing or damaging it. Years can pass between an investigation
and a trial, and without proper documentation, evidence may not be admissible.
Robbins says that the documentation should include not only all the files and
data recovered from the system, but also a report on the system's physical layout
and whether any files had encryption or were otherwise hidden.

8. Be prepared to testify in court as an expert witness in computer forensics. Even

when an investigation is complete, the detectives' job may not be done. They
may still need to provide testimony in court.
 .Rules of evidence
The rules of evidence are guidelines that
determine how evidence should be handled.
These guidelines take many things into
.consideration

For example, they may determine what

evidence is admissible, when it is admissible,
.and who is entitled to present it
 Issues that the court should determine before
accepting digital evidence

:Before accepting digital evidence a court will determine

if the evidence is relevant – 1

.whether it is authentic -2

if it is hearsay -3

.Whether a copy is acceptable or the original is required -4

INFORMATION ASSURANCE
 INFORMATION ASSURANCE
Measures that protect and defend information
and information systems by ensuring their
availability, integrity, authentication,
confidentiality, and non-repudiation. These
measures include providing for restoration of
information systems by incorporating
protection, detection, and reaction capabilities
Source: National Information Assurance (IA) Glossary
 INFORMATION ASSURANCE
Information Assurance concerns
implementation of methods that focused on
protecting and safeguarding critical information
and relevant information systems by assuring
confidentiality, integrity, availability, and non-
repudiation. It is strategic approach focused
which focuses more on deployment of policies
.rather than building infrastructures
Source: https://www.geeksforgeeks.org/information-assurance-model-in-cyber-
/security
 INFORMATION ASSURANCE MODEL aka
MACONACHY, SCHOU, RAGSDALE (MSR) CUBE

https://www.geeksforgeeks.org/information-assurance-model-in-
cyber-security/
INFORMATION ASSURANCE MODEL
Consists of FOUR (4) Dimensions:
1) Information States
Information is referred to as interpretation
of data which can be found in three states
stored, processed, or transmitted.
2) Security Services
It is fundamental pillar of the model which
provides security to system and consists
of five services namely availability,
integrity, confidentiality, authentication, and
non-repudiation.
https://www.geeksforgeeks.org/information-assurance-model-in-
cyber-security/
3)Security Countermeasures
This dimension has functionalities to save
system from immediate vulnerability by
accounting for technology, policy &
practice, and people.
4)Time
This dimension can be viewed in many
ways. At any given time data may be
available offline or online, information and
system might be in flux thus, introducing
risk of unauthorized access. Therefore, in
every phase of System Development
Cycle, every aspect of Information
Assurance model must be well defined
and well implemented in order to minimize
risk of unauthorized access.
 INFORMATION STATE )1
Transmission
.It defines time wherein data is between processing steps
Example :
In transit over networks when user sends email to reader, including memory
.and storage encountered during delivery

Storage
.It defines time during which data is saved on medium such as hard drive
.Example: Saving document on file server’s disk by user

Processing
.It defines time during which data is in processing state
Example :
.Data is processed in random access memory (RAM) of workstation

https://www.geeksforgeeks.org/information-assurance-model-in-
cyber-security/
 SECURITY SERVICES )2
Confidentiality
It assures that information of system is not
disclosed to unauthorized access and is read and
interpreted only by persons authorized to do so.
Protection of confidentiality prevents malicious
access and accidental disclosure of information.
Information that is considered to be confidential
is called as sensitive information. To ensure
confidentiality data is categorized into different
categories according to damage severity and
.then accordingly strict measures are taken
Example :
Protecting email content to read by only desired
set of users. This can be insured by data
encryption. Two-factor authentication, strong
passwords, security tokens, and biometric
verification are some popular norms for
.authentication users to access sensitive data
https://www.geeksforgeeks.org/information-assurance-model-in-
cyber-security/
Integrity
It ensures that sensitive data is accurate and
trustworthy and can not be created, changed, or
deleted without proper authorization.
Maintaining integrity involves modification or
destruction of information by unauthorized
access. To ensure integrity backups should be
planned and implemented in order to restore any
affected data in case of security breach. Besides
this cryptographic checksum can also be used for
.verification of data
Example :
Implementation of measures to verify that e-mail
content was not modified in transit. This can be
achieved by using cryptography which will ensure
that intended user receives correct and accurate
.information
 SECURITY SERVICES )2
Availability
It guarantees reliable and constant access to sensitive data only by authorized users. It involves
measures to sustain access to data in spite of system failures and sources of interference. To ensure
availability of corrupted data must be eliminated, recovery time must be speed up and physical
.infrastructure must be improved
Example :
.Accessing and throughput of e-mail service

Authentication
It is security service that is designed to establish validity of transmission of message by verification of
individual’s identity to receive specific category of information. To ensure availability of various single
factors and multi-factor authentication methods are used. A single factor authentication method uses
single parameter to verify users’ identity whereas two-factor authentication uses multiple factors to
.verify user’s identity
Example :
Entering username and password when we log in to website is example of authentication. Entering
correct login information lets website verify our identity and ensures that only we access sensitive
.information

https://www.geeksforgeeks.org/information-assurance-model-in-
cyber-security/
 SECURITY SERVICES )2
Non-Repudiation
It is mechanism to ensure sender or receiver cannot deny fact that they are part of
data transmission. When sender sends data to receiver, it receives delivery
confirmation. When receiver receives message it has all information attached within
.message regarding sender
Example :
A common example is sending SMS from one mobile phone to another. After message
is received confirmation message is displayed that receiver has received message. In
.return, message received by receiver contains all information about sender

https://www.geeksforgeeks.org/information-assurance-model-in-
cyber-security/
 SECURITY COUNTERMEASURES )3
People
People are heart of information system. Administrators and users of information
systems must follow policies and practice for designing good system. They
must be informed regularly regarding information system and ready to act
appropriately to safeguard system.

Policy & Practice

Every organization has some set of rules defined in form of policies that must
be followed by every individual working in organization. These policies must
be practiced in order to properly handle sensitive information whenever system
gets compromised.

Technology
Appropriate technology such as firewalls, routers, and intrusion detection
must be used in order to defend system from vulnerabilities, threats.
The technology used must facilitate quick response whenever information
security gets compromised.

https://www.geeksforgeeks.org/information-assurance-model-in-
cyber-security/
 SUMMARY
:You have learnt
Nature and value of information-
Security issues, information security and-
information assurance
Disaster recovery and forensics-
Information assurance analysis model (MSR-
model; threats; vulnerabilities; attacks;
countermeasures)
THE END