CBS 313

Information Security Policy

 Introduction to Information security
Learning Outcomes
Upon completion of this lecture, the Students should be able to:
 Understand the key terms and concepts of Information security
 Comprehend the history of computer security and how it evolved into Information
security
 Understand the threats posed to information security and the more common
attacks associated with those threats.
 Differentiate threats to Information systems from attacks against Information
systems
What Is Information Security?

 The U.S. Government’s National Information Assurance Glossary

defines INFOSEC as:
“ Protection of information systems against unauthorized access to or
modification of information, whether in storage, processing or transit, and
against the denial of service to authorized users or the provision of service to
unauthorized users, including those measures necessary to detect, document,
and counter such threats ”
 The protection of information and its critical elements, including systems and
hardware that use, store, and transmit that information.
 A successful organization should have multiple layers of security in
place:
 Physical security (CCTV surveillance, security guards, protective
barriers, locks)
 Personal security (Hijacking)
 Operations security (Security Awareness Training Policy.
Clean Desk Policy, Mobile Device Policy)
 Communications security (encryption or decryption)
 Network security (Antivirus and Anti-malware Software, Data Loss
Prevention (DLP), Email Security, Firewall)
 Information security (Unauthorized disclosure of sensitive
information)
 Basic Components of Security:
Confidentiality, Integrity, and Availability (CIA)
 CIA
 Confidentiality: Who is authorized to use data? C I
 Integrity: Is the data changed? S
 Availability: Can I access data whenever I need A
it?
You Will Never Own a Perfectly Secure System! S = Secure

(other security components added to CIA)

 Authentication (Confirming your own identity)

 Authorization (granting access to the system)

 Non-repudiation (someone cannot deny the

validity of something)
Confidentiality: Certain information must be kept secret from unauthorised access.
 Importance of confidentiality
Loss of revenue
Loss of reputation
Loss of clients/customers Embarrassment
You may be in breach of a legal/moral/ethical obligation to keep information
confidential
 Ensuring confidentiality
 Encryption (Is a method by which information is converted into secret code that
hides the information true meaning)
 Access Control (Is a way of limiting access to system, physical or virtual
resources. Is a process by which users are granted access and certain privileges
to systems, resources or information)
Integrity: Ensures that information and systems have not been altered in an unauthorised
way
 Importance of Integrity
 Breaches
 Malfunctions
 Unauthorised changes
People
Malware

Ensuring integrity
 Hashing (Hashing is generating a value or values from a string of text using a
mathematical function and is one way to enable security during the process of
message transmission, which helps to protect the security of the transmission against
tampering.)
 Error correcting codes (Error correction is the process of detecting errors in transmitted
messages and reconstructing the original error-free data. Error correction ensures
that corrected and error-free messages are obtained at the receiver side)
Availability
 Information or systems are accessible and modifiable in a timely
fashion by those authorized to do so.
 Lack of availability is often referred to as a denial of service.
Ensuring Availability
 Data backups
 Redundant systems
 Disaster recovery plans
Authentication is the process of recognizing a user's identity.
 Verification of claim (you are who you say you are, where you
say you are, at the time that you say it is)
Non-Repudiation (Non-repudiation is the prevention of either the
sender or the receiver denying a transmitted message)
Accountability (means that the system is able to provide audit
trails of all transactions)
Why Security?
 Cyberspace (internet, work environment, intranet) is becoming a
dangerous place for all organizations and individuals to protect their
sensitive data or reputation. This is because of the numerous people
and machines accessing it.
 Hacking tools can be found very easily by everyone just by googling
and they are endless.
 Technology with the end-users has increased rapidly within these
years, like internet bandwidth and computer processing speeds.
 Access to hacking information manuals.
 https://www.cybintsolutions.com/cyber-security-facts-stats/
The History of Information Security
 Began immediately after the first mainframes were developed
 Groups developing code-breaking computations during World War II created the first modern
computers
 Physical controls to limit access to sensitive military locations to authorized personnel
 Rudimentary in defending against physical theft, espionage, and sabotage
The 1960s
Advanced Research Procurement Agency (ARPA) began to examine feasibility of redundant
networked communications. Larry Roberts developed ARPANET from its inception.
The 1970s and 80s
 ARPANET grew in popularity as did its potential for misuse
 Fundamental problems with ARPANET security were identified
 No safety procedures for dial-up connections to ARPANET
 Non-existent user identification and authorization to system
 Late 1970s: microprocessor expanded computing capabilities and security threats
 R-609
 Information security began with Rand Report R-609 (paper that started the study of computer security)
 Scope of computer security grew from physical security to include:
 Safety of data
 Limiting unauthorized access to data
 Involvement of personnel from multiple levels of an organization
The 1990s
 Networks of computers became more common; so too did the need to interconnect networks
 Internet became first manifestation of a global network of networks
 In early Internet deployments, security was treated as a low priority
The Present
 The Internet brings millions of computer networks into communication with each other—many of them
unsecured
 Ability to secure a computer’s data influenced by the security of every computer to which it is connected
Components of an Information System
 Information System (IS) is entire set of software, hardware, data,
people, procedures, and networks necessary to use information as a
resource in the organization
 Computer can be subject of an attack and/or the object of an attack
 When the subject of an attack, computer is used as an active tool to
conduct attack
 When the object of an attack, computer is the entity being attacked
Threats to Information Security
 A threat is an object, person, or other entity that represents a constant danger
to an asset.
 In Information Security threats can be like Software attacks, theft of
intellectual property, identity theft, theft of equipment or information,
sabotage, and information extortion.
 Threat can be anything that can take advantage of a vulnerability to breach
security and negatively alter, erase, harm object or objects of interest.
 Software attacks means attack by Viruses, Worms, Trojan Horses etc. Many
users believe that malware, virus, worms, bots are all same things. But they
are not same, only similarity is that they all are malicious software that
behave differently.
 Malware is a combination of 2 terms- Malicious and Software. So Malware
basically means malicious software that can be an intrusive program code or
a anything that is designed to perform malicious operations on system.
 To better understand the numerous threats facing the organization,
a categorization scheme has been developed.
 By examining each threat category in turn, management can most
effectively protect its information through policy, education and
training, and technology controls.

Security threat is categorized by these terms:

 Reconnaissance attacks
 Access attacks
 Denial of service (DoS) attacks
Reconnaissance Attacks
 In a reconnaissance attack, a hacker tries to gain information about your network,
including its topology, the devices that reside inside it, the software running on
them, and the configuration that has been applied to these devices.
 The hacker then uses this information to execute further attacks, such as DoS or
access attacks. Reconnaissance attacks come in different types, including the
following: Scanning and Eavesdropping
 Scanning Attacks
 The most common type of reconnaissance attack is a scanning attack. A network
scanning attack occurs when a hacker probes the machines in your network.
 He might do this by sending an ICMP (Internet Control Message Protocol ) ping to
every IP address in your network, or he might use a network ping, in which he
pings the IP address of the directed broadcast of every network.
 As an example, if you have a network of 200.200.200.0/24, the hacker would
ping 200.200.200.255.
 A port-scanning utility probes the port numbers of a machine to detect whether
a service is running. Using this approach, a hacker can determine whether the
machine is running SMTP, Telnet, FTP, WWW, or other services.
 The most common method of stopping networking and port-scanning attacks is
to use filtering devices. This can be something as simple as using Cisco routers
with access control lists or a sophisticated firewall.
 You always should play it safe and disable all services that are not used in your
network.
 For instance, if you have a web server, you should disable services such as
Telnet, SMTP and FTP on it.
 Eavesdropping Attacks
 Another form of reconnaissance attack is eavesdropping. Eavesdropping is the
process of examining packets as they are in transit between a source and
destination device.
 A hacker typically uses a protocol-analyzer tool to perform eavesdropping.
The figure shows how
eavesdropping works. In step 1 of
this example, the hacker is
examining traffic between the user
and the server. The hacker notices
that the user is establishing a Telnet
connection and authenticates with a
username and password. Because
Telnet passes this information in
clear text, the hacker now knows
how to log into the Telnet server,
spoofing the identity of the user. In
step 2, the hacker uses this
information to log into the Telnet
server.
 When eavesdropping, the hacker looks for account names and passwords, such
as these:
 Microsoft Windows login
 Novell Netware login
 Telnet login
 FTP login
 HTTP login
 Hackers also use eavesdropping to examine other information, perhaps database
or financial transactions.
 To prevent eavesdropping, your best solution is to use some form of
encryption on your packets.
 You always should encrypt the following types of information:
 Passwords (and sometimes usernames)
 Personal information, such as telephone numbers, medical information,
driver's license numbers, and social security numbers
 Credit card information
 Financial transactions
 Company trade secrets and sensitive information
Access Attacks
 Another common type of attack is an access attack. In an access attack, a hacker
attempts to gain unauthorized or illegal access to your network and its resources,
particularly resources such as file, e-mail, and web servers.
 He typically does this by trying to access password files, using password-
cracking programs, or examining traffic on your network for packets that contain
clear-text passwords (eavesdropping attack).
 Other types of attacks include exploiting weaknesses in operating systems and
applications, such as buffer overflows, that can allow a hacker access without first
authenticating.
 After a hacker has broken into one of your networking devices, he usually tries to
raise his privilege level to the highest possible degree and then uses this account
to break into other networking devices.
 To accomplish this kind of attack, a hacker can use many tools, including the
following:
 Guessing passwords for well-known accounts, such as root and Administrator
 Using a protocol analyser and executing an eavesdropping attack to examine
clear-text passwords in packets
 Accessing a password file and using a password-cracking program on it
 Using social engineering

Denial of Service Attacks

 Besides reconnaissance attacks, the second most common form of security
threat and attack is the DoS attack.
 With a DoS attack, a hacker attempts to deny legitimate traffic and user access to
a particular resource, or, at the very least, reduce the quality of service for a
resource.
 Many kinds of DoS attacks exist; the simplest to implement is a flood attack, in
which the hacker overwhelms a device or network with a flood of ICMP packets.
The following are common solutions used to detect and prevent DoS attacks:
 Performing packet filtering
 Using an intrusion-detection system (IDS)
 Using routing protocols with authentication
 Running detailed audits and logs
Vulnerabilities, Threats, Controls and Attack
 Vulnerability: A weakness in a security system
 Threat: Circumstances that have a potential to cause
harm
 Controls: Means and ways to block a threat, which tries to
exploit one or more vulnerabilities.
 Attack (materialization of a vulnerability/threat
combination)
Threats to Information Security