Professional Documents
Culture Documents
Chapter 1: Introduction To Information Security
Chapter 1: Introduction To Information Security
What is Security?
✓ “The quality or state of being secure to be free from danger”
✓ To be protected from adversaries from those who would do harm, intentionally or
otherwise
✓ Freedom from risk or danger; safety.
✓ Freedom from doubt, anxiety, or fear; confidence
✓ A successful organization should have multiple layers of security in place:
➢ Physical security
➢ Personal security
➢ Operations security
➢ Communications security
➢ Network security
➢ Information security
1
Compiled By: Kabtamu D.
Why Security?
The Internet was initially designed for connectivity
✓ Trust assumed
✓ We do more with the Internet nowadays
✓ Security protocols are added on top of the TCP/IP
2
Compiled By: Kabtamu D.
Computer Security
Computer Security is a Branch of Computer Technology
• It is Information security as applied to computers and networks.
• The objectives- Protection of information from:
➢ Theft,
➢ Corruption,
➢ Damage from disaster,
Definition
Security: The prevention and protection of computer assets from unauthorized access, use,
alteration, degradation, destruction, and other threats.
“The term computer system security means the collective processes and mechanisms by which
sensitive and valuable information and services are protected from publication, tamper [ alter]
or collapse by unauthorized activities or untrustworthy individuals and unplanned events
respectively.
Privacy
✓ Privacy: The legal rights of the groups/individuals/organizations to be protected against
unauthorized intrusion into his personal life/affairs, by direct physical means or by
publication of information.
✓ Security or Privacy Threat: Any individual group, act, or object that poses a danger to
computer security and privacy is known as threat.
3
Compiled By: Kabtamu D.
No Tension??
➢ No Computer
➢ No Network
➢ No Internet
• The most secured manner→ Either no computers or are those not connected to any Network
or Internet and protected from any intrusion
4
Compiled By: Kabtamu D.
✓ Information security: a “well-informed sense of assurance that the information risks and
controls are in balance.”
✓ IS security being a classic battle of “good vs. evil.”
✓ Computer security: The protection afforded to an automated information system in order
to attain the applicable objectives of preserving the integrity, availability and
confidentiality of information system resources (includes hardware, software, firmware,
information/data, and telecommunications).
✓ IT Security Management: a process used to achieve and maintain appropriate levels of
confidentiality, integrity, availability, accountability, authenticity and reliability.
✓ IT Security Management functions include:
➢ Organizational IT security objectives, strategies and policies
➢ Determining organizational IT security requirement
➢ Identifying and analyzing security threats to IT assets
➢ Identifying and analyzing risks
➢ Specifying appropriate safeguards
➢ Monitoring the implementation and operation of safeguards
➢ Developing and implement a security awareness program
➢ Detecting and reacting to incidents
➢ In a general sense, security means protecting our assets.
➢ This may mean protecting them from attackers invading our networks, natural
disasters, adverse environmental conditions, power failures, theft or vandalism, or
other undesirable states.
➢ Ultimately, we will attempt to secure ourselves against the most likely forms of
attack, to the best extent we reasonably can, given our environment.
Securing Components in IS
✓ Computer (software and hardware) is the key component in an information system
✓ Computer can be subject of an attack and/or the object of an attack
➢ When the subject of an attack, computer is used as an active tool to conduct attack
➢ When the object of an attack, computer is the entity being attacked
➢ The attacks can also be two types
• Direct (the attack is directed to the computer itself)
• Indirect (the computer is attacked to cause problem to other system e.g.
DOS)
✓ Physical security – To protect the physical items, objects, or areas of an organization from
unauthorized access and misuse.
✓ Personal security – To protect the individual or group of individuals who are authorized to
access the organization and its operations.
✓ Operations security – To protect the details of a particular operation or series of activities.
✓ Communications security – To protect an organization’s communications media,
technology, and content.
✓ Network security – To protect networking components, connections, and contents.
5
Compiled By: Kabtamu D.
Computer as Subject and Object of an attack
6
Compiled By: Kabtamu D.
Information Security: Basic Requirements also known as the security
triads:(CIA)
Necessary tools for information security: policy, awareness, training, education, technology
✓ C.I.A. Triangle
✓ Industry standard for computer security since the development of the mainframe.
✓ It was solely based on three characteristics that described the utility of information:
confidentiality, integrity, and availability.
✓ When you design and use security controls, you are addressing one or more of these
components.
✓ Three widely accepted elements or areas of focus (referred to as the “CIA Triad”):
• Confidentiality
• Integrity
• Availability (Recoverability)
•
✓ Includes Physical Security as well as Electronic
✓ the term privacy is often used when data to be protected refer to individuals
✓ The quality or state of preventing disclosure or exposure to unauthorized individuals or
systems.
• Data confidentiality: Assures that confidential information is not disclosed to
unauthorized individuals
Of personal data and information
❖ Credit card account numbers and bank account numbers
❖ Social Security numbers and address information
7
Compiled By: Kabtamu D.
Of intellectual property of businesses
❖ Copyrights, patents, and secret formulas
❖ Source code, customer databases, and technical specifications
Of national security
❖ Military intelligence
❖ Homeland security and government-related information
B. Integrity - it refers to information protection from modifications; it involves several goals:
✓ Assuring the integrity of information with respect to the original information (relevant
especially in web environment) – often referred to as authenticity
✓ Protecting information from unauthorized modifications
✓ Protecting information from incorrect modifications – referred to as semantic integrity.
✓ The quality or state of being whole, complete, and uncorrupted.
• Data integrity: assures that information and programs are changed only in a
specified and authorized manner
• System integrity: Assures that a system performs its operations in unimpaired
manner
• The integrity of information is threatened when the information is exposed to
corruption, damage, destruction, or other disruption of its authentic state.
• Data has integrity if the data is not altered, is valid, and is accurate
Of user names and passwords; patents and copyrights, source code;
diplomatic information, financial data
Although the use of the CIA triad to define security objectives is well established, some in the
security field feel that additional concepts are needed to present a complete picture. Two of the
most commonly mentioned are:
✓ Authenticity: The property of being genuine and being able to be verified and trusted;
confidence in the validity of a transmission, a message, or message originator.
✓ Accountability: The security goal that generates the requirement for actions of an entity
to be traced uniquely to that entity.
8
Compiled By: Kabtamu D.
Critical Characteristics of Information
✓ The C.I.A. triangle has expanded into a list of critical characteristics of information
✓ The value of information comes from the characteristics it possesses:
1. Accuracy – Free from mistake or error and having the value that the end user expects.
If information contains a value different from the user’s expectations due to the
intentional or unintentional modification of its content, it is no longer accurate.
2. Authenticity –The quality or state of being genuine or original, rather than a
reproduction or fabrication. Information is authentic when it is the information that was
originally created, placed, stored, or transferred.
3. Utility – The quality or state of having value for some purpose or end. Information has
value when it serves a particular purpose. This means that if information is available,
but not in a format meaningful to the end user, it is not useful.
4. Possession – The quality or state of having ownership or control of some object or item.
Information is said to be in possession if one obtains it, independent of format or other
characteristic. While a breach of confidentiality always results in a breach of
possession, a breach of possession does not always result in a breach of confidentiality.
9
Compiled By: Kabtamu D.
which raises questions about the creation, distribution, and protection of that secret
information.
6. It is a battle of wits between a perpetrator who tries to find holes and the designer or
administrator who tries to close them. The great advantage that the attacker has is that he or
she need only find a single weakness, while the designer must find and eliminate all weaknesses
to achieve perfect security.
7. There is a natural tendency on the part of users and system managers to perceive little benefit
from security investment until a security failure occurs.
8. Security requires regular, even constant, monitoring, and this is difficult in today’s short-term,
overloaded environment.
9. Security is still too often an afterthought to be incorporated into a system after the design is
complete rather than being an integral part of the design process.
10. Many users and even security administrators view strong security as an impediment to efficient
and user-friendly operation of an information system or use of information. The difficulties
just enumerated will be encountered in numerous ways as we examine the various security
threats and mechanisms.
11. Internet infrastructures are vulnerable.
12. Solutions usually require a larger scale of modification
13. Security and performance tradeoff
14. Security is only as strong as the weakest link
15. Attacks can be easily launched and difficult to be traced
10
Compiled By: Kabtamu D.
Categories of attacks
• Interruption: An attack on availability
• Interception: An attack on confidentiality
• Modification: An attack on integrity
• Fabrication: An attack on authenticity
Network Attacks
✓ Packet Sniffing
o Internet traffic consists of data “packets”, and these can be “sniffed”
o Leads to other attacks such as password sniffing, cookie stealing session
hijacking, information stealing
✓ Man in the Middle
o Insert a router in the path between client and server, and change the packets as
they pass through
11
Compiled By: Kabtamu D.
Web Attacks
✓ Phishing
o An evil website pretends to be a trusted website
o Example:
▪ You type, by mistake, “mibank.com” instead of “mybank.com”
▪ mibank.com designs the site to look like mybank.com so the user types in
their info as usual
▪ BAD! Now an evil person has your info!
✓ Cross Site Scripting
o Writing a complex Javascript program that steals data left by other sites that you
have visited in same browsing session
Vulnerability in Computing
✓ In computer security, vulnerability is a weakness which allows an attacker to reduce a
system's information assurance.
✓ Vulnerability is the intersection of three elements:
➢ A system susceptibility or flaw itself(fault),
➢ Attacker access to the flaw(fault), and
➢ Attacker capability to exploit the flaw (fault).
✓ To exploit vulnerability, an attacker must have at least one applicable tool or technique
that can connect to a system weakness. In this frame, vulnerability is also known as the
attack surface.
Defining vulnerability
✓ “A weakness of an asset or group of assets that can be exploited by one or more threats.”
✓ Where an asset is anything that can has value to the organization, its business operations
and their continuity, including information resources that support the organization's
mission
ISO 27005 definition
Types of Vulnerabilities
✓ Physical vulnerabilities (Ex. Buildings)
✓ Natural vulnerabilities (Ex. Earthquake)
✓ Hardware and Software vulnerabilities (Ex. Failures)
✓ Media vulnerabilities (Ex. Disks can be stolen)
✓ Communication vulnerabilities (Ex. Wires can be tapped)
✓ Human vulnerabilities (Ex. Insiders)
12
Compiled By: Kabtamu D.
Classification of Vulnerabilities
1. Hardware
o Susceptibility to humidity
o Susceptibility to dust
o susceptibility to soiling
o susceptibility to unprotected storage
2. Software
➢ insufficient testing
➢ lack of audit trail
3. Network
o unprotected communication lines
o insecure network architecture
4. Personnel
➢ inadequate recruiting process
➢ inadequate security awareness
5. Site
o area subject to flood
o unreliable power source
6. Organizational
➢ lack of regular audits
➢ lack of continuity plans
➢ lack of security
Causes of Vulnerabilities
1. Complexity: Large, complex systems increase the probability of flaws and unintended
access points
2. Familiarity: Using common, well-known code, software, operating systems, and/or
hardware increases the probability an attacker has or can find the knowledge and tools to
exploit the flaw
3. Connectivity: More physical connections, privileges, ports, protocols, and services and
time each of those are accessible increase vulnerability
4. Password management flaws: The computer user uses weak passwords that could be
discovered by brute force. The computer user stores the password on the computer where
a program can access it. Users re-use passwords between many programs and websites.
5. Internet Website Browsing: Some internet websites may contain harmful Spyware or
Adware that can be installed automatically on the computer systems. After visiting those
websites, the computer systems become infected and personal information will be
collected and passed on to third party individuals.
6. Software bugs: The programmer leaves an exploitable bug in a software program. The
software bug may allow an attacker to misuse an application.
7. Not learning from past mistakes: for example, most vulnerabilities discovered in IPv4
protocol software were discovered in the new IPv6 implementations
8. The research has shown that the most vulnerable point in most information systems
is the human user, operator, designer, or other human: so, humans should be
13
Compiled By: Kabtamu D.
considered in their different roles as asset, threat, information resources. Social
engineering is an increasing security concern.
====================================================================
A threat is a potential or actual adverse event that may be malicious or incidental, and that can
compromise the assets of an enterprise or the integrity of a computer or network.
Countermeasures can take the form of software, hardware and modes of behavior. Software
countermeasures include:
• personal firewalls
• anti-virus software
• pop-up blockers
• Spyware detection/removal programs
14
Compiled By: Kabtamu D.